xref: /openbmc/linux/net/bluetooth/smp.c (revision 5d0e4d78)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34 
35 #include "ecdh_helper.h"
36 #include "smp.h"
37 
38 #define SMP_DEV(hdev) \
39 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40 
41 /* Low-level debug macros to be used for stuff that we don't want
42  * accidentially in dmesg, i.e. the values of the various crypto keys
43  * and the inputs & outputs of crypto functions.
44  */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 				 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 				    ##__VA_ARGS__)
51 #endif
52 
53 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54 
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
57 
58 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
59 
60 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
61 				 0x3f : 0x07)
62 #define KEY_DIST_MASK		0x07
63 
64 /* Maximum message length that can be passed to aes_cmac */
65 #define CMAC_MSG_MAX	80
66 
67 enum {
68 	SMP_FLAG_TK_VALID,
69 	SMP_FLAG_CFM_PENDING,
70 	SMP_FLAG_MITM_AUTH,
71 	SMP_FLAG_COMPLETE,
72 	SMP_FLAG_INITIATOR,
73 	SMP_FLAG_SC,
74 	SMP_FLAG_REMOTE_PK,
75 	SMP_FLAG_DEBUG_KEY,
76 	SMP_FLAG_WAIT_USER,
77 	SMP_FLAG_DHKEY_PENDING,
78 	SMP_FLAG_REMOTE_OOB,
79 	SMP_FLAG_LOCAL_OOB,
80 	SMP_FLAG_CT2,
81 };
82 
83 struct smp_dev {
84 	/* Secure Connections OOB data */
85 	u8			local_pk[64];
86 	u8			local_sk[32];
87 	u8			local_rand[16];
88 	bool			debug_key;
89 
90 	u8			min_key_size;
91 	u8			max_key_size;
92 
93 	struct crypto_cipher	*tfm_aes;
94 	struct crypto_shash	*tfm_cmac;
95 };
96 
97 struct smp_chan {
98 	struct l2cap_conn	*conn;
99 	struct delayed_work	security_timer;
100 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
101 
102 	u8		preq[7]; /* SMP Pairing Request */
103 	u8		prsp[7]; /* SMP Pairing Response */
104 	u8		prnd[16]; /* SMP Pairing Random (local) */
105 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
106 	u8		pcnf[16]; /* SMP Pairing Confirm */
107 	u8		tk[16]; /* SMP Temporary Key */
108 	u8		rr[16]; /* Remote OOB ra/rb value */
109 	u8		lr[16]; /* Local OOB ra/rb value */
110 	u8		enc_key_size;
111 	u8		remote_key_dist;
112 	bdaddr_t	id_addr;
113 	u8		id_addr_type;
114 	u8		irk[16];
115 	struct smp_csrk	*csrk;
116 	struct smp_csrk	*slave_csrk;
117 	struct smp_ltk	*ltk;
118 	struct smp_ltk	*slave_ltk;
119 	struct smp_irk	*remote_irk;
120 	u8		*link_key;
121 	unsigned long	flags;
122 	u8		method;
123 	u8		passkey_round;
124 
125 	/* Secure Connections variables */
126 	u8			local_pk[64];
127 	u8			local_sk[32];
128 	u8			remote_pk[64];
129 	u8			dhkey[32];
130 	u8			mackey[16];
131 
132 	struct crypto_cipher	*tfm_aes;
133 	struct crypto_shash	*tfm_cmac;
134 };
135 
136 /* These debug key values are defined in the SMP section of the core
137  * specification. debug_pk is the public debug key and debug_sk the
138  * private debug key.
139  */
140 static const u8 debug_pk[64] = {
141 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
142 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
143 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
144 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
145 
146 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
147 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
148 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
149 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
150 };
151 
152 static const u8 debug_sk[32] = {
153 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
154 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
155 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
156 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
157 };
158 
159 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
160 {
161 	size_t i;
162 
163 	for (i = 0; i < len; i++)
164 		dst[len - 1 - i] = src[i];
165 }
166 
167 /* The following functions map to the LE SC SMP crypto functions
168  * AES-CMAC, f4, f5, f6, g2 and h6.
169  */
170 
171 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
172 		    size_t len, u8 mac[16])
173 {
174 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
175 	SHASH_DESC_ON_STACK(desc, tfm);
176 	int err;
177 
178 	if (len > CMAC_MSG_MAX)
179 		return -EFBIG;
180 
181 	if (!tfm) {
182 		BT_ERR("tfm %p", tfm);
183 		return -EINVAL;
184 	}
185 
186 	desc->tfm = tfm;
187 	desc->flags = 0;
188 
189 	/* Swap key and message from LSB to MSB */
190 	swap_buf(k, tmp, 16);
191 	swap_buf(m, msg_msb, len);
192 
193 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194 	SMP_DBG("key %16phN", k);
195 
196 	err = crypto_shash_setkey(tfm, tmp, 16);
197 	if (err) {
198 		BT_ERR("cipher setkey failed: %d", err);
199 		return err;
200 	}
201 
202 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
203 	shash_desc_zero(desc);
204 	if (err) {
205 		BT_ERR("Hash computation error %d", err);
206 		return err;
207 	}
208 
209 	swap_buf(mac_msb, mac, 16);
210 
211 	SMP_DBG("mac %16phN", mac);
212 
213 	return 0;
214 }
215 
216 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
217 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
218 {
219 	u8 m[65];
220 	int err;
221 
222 	SMP_DBG("u %32phN", u);
223 	SMP_DBG("v %32phN", v);
224 	SMP_DBG("x %16phN z %02x", x, z);
225 
226 	m[0] = z;
227 	memcpy(m + 1, v, 32);
228 	memcpy(m + 33, u, 32);
229 
230 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
231 	if (err)
232 		return err;
233 
234 	SMP_DBG("res %16phN", res);
235 
236 	return err;
237 }
238 
239 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
240 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
241 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
242 {
243 	/* The btle, salt and length "magic" values are as defined in
244 	 * the SMP section of the Bluetooth core specification. In ASCII
245 	 * the btle value ends up being 'btle'. The salt is just a
246 	 * random number whereas length is the value 256 in little
247 	 * endian format.
248 	 */
249 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
250 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
251 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
252 	const u8 length[2] = { 0x00, 0x01 };
253 	u8 m[53], t[16];
254 	int err;
255 
256 	SMP_DBG("w %32phN", w);
257 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
258 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
259 
260 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
261 	if (err)
262 		return err;
263 
264 	SMP_DBG("t %16phN", t);
265 
266 	memcpy(m, length, 2);
267 	memcpy(m + 2, a2, 7);
268 	memcpy(m + 9, a1, 7);
269 	memcpy(m + 16, n2, 16);
270 	memcpy(m + 32, n1, 16);
271 	memcpy(m + 48, btle, 4);
272 
273 	m[52] = 0; /* Counter */
274 
275 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
276 	if (err)
277 		return err;
278 
279 	SMP_DBG("mackey %16phN", mackey);
280 
281 	m[52] = 1; /* Counter */
282 
283 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
284 	if (err)
285 		return err;
286 
287 	SMP_DBG("ltk %16phN", ltk);
288 
289 	return 0;
290 }
291 
292 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
293 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
294 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
295 		  u8 res[16])
296 {
297 	u8 m[65];
298 	int err;
299 
300 	SMP_DBG("w %16phN", w);
301 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
302 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
303 
304 	memcpy(m, a2, 7);
305 	memcpy(m + 7, a1, 7);
306 	memcpy(m + 14, io_cap, 3);
307 	memcpy(m + 17, r, 16);
308 	memcpy(m + 33, n2, 16);
309 	memcpy(m + 49, n1, 16);
310 
311 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
312 	if (err)
313 		return err;
314 
315 	SMP_DBG("res %16phN", res);
316 
317 	return err;
318 }
319 
320 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
321 		  const u8 x[16], const u8 y[16], u32 *val)
322 {
323 	u8 m[80], tmp[16];
324 	int err;
325 
326 	SMP_DBG("u %32phN", u);
327 	SMP_DBG("v %32phN", v);
328 	SMP_DBG("x %16phN y %16phN", x, y);
329 
330 	memcpy(m, y, 16);
331 	memcpy(m + 16, v, 32);
332 	memcpy(m + 48, u, 32);
333 
334 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
335 	if (err)
336 		return err;
337 
338 	*val = get_unaligned_le32(tmp);
339 	*val %= 1000000;
340 
341 	SMP_DBG("val %06u", *val);
342 
343 	return 0;
344 }
345 
346 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
347 		  const u8 key_id[4], u8 res[16])
348 {
349 	int err;
350 
351 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
352 
353 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
354 	if (err)
355 		return err;
356 
357 	SMP_DBG("res %16phN", res);
358 
359 	return err;
360 }
361 
362 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
363 		  const u8 salt[16], u8 res[16])
364 {
365 	int err;
366 
367 	SMP_DBG("w %16phN salt %16phN", w, salt);
368 
369 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
370 	if (err)
371 		return err;
372 
373 	SMP_DBG("res %16phN", res);
374 
375 	return err;
376 }
377 
378 /* The following functions map to the legacy SMP crypto functions e, c1,
379  * s1 and ah.
380  */
381 
382 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
383 {
384 	uint8_t tmp[16], data[16];
385 	int err;
386 
387 	SMP_DBG("k %16phN r %16phN", k, r);
388 
389 	if (!tfm) {
390 		BT_ERR("tfm %p", tfm);
391 		return -EINVAL;
392 	}
393 
394 	/* The most significant octet of key corresponds to k[0] */
395 	swap_buf(k, tmp, 16);
396 
397 	err = crypto_cipher_setkey(tfm, tmp, 16);
398 	if (err) {
399 		BT_ERR("cipher setkey failed: %d", err);
400 		return err;
401 	}
402 
403 	/* Most significant octet of plaintextData corresponds to data[0] */
404 	swap_buf(r, data, 16);
405 
406 	crypto_cipher_encrypt_one(tfm, data, data);
407 
408 	/* Most significant octet of encryptedData corresponds to data[0] */
409 	swap_buf(data, r, 16);
410 
411 	SMP_DBG("r %16phN", r);
412 
413 	return err;
414 }
415 
416 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
417 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
419 {
420 	u8 p1[16], p2[16];
421 	int err;
422 
423 	SMP_DBG("k %16phN r %16phN", k, r);
424 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
426 
427 	memset(p1, 0, 16);
428 
429 	/* p1 = pres || preq || _rat || _iat */
430 	p1[0] = _iat;
431 	p1[1] = _rat;
432 	memcpy(p1 + 2, preq, 7);
433 	memcpy(p1 + 9, pres, 7);
434 
435 	SMP_DBG("p1 %16phN", p1);
436 
437 	/* res = r XOR p1 */
438 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
439 
440 	/* res = e(k, res) */
441 	err = smp_e(tfm_aes, k, res);
442 	if (err) {
443 		BT_ERR("Encrypt data error");
444 		return err;
445 	}
446 
447 	/* p2 = padding || ia || ra */
448 	memcpy(p2, ra, 6);
449 	memcpy(p2 + 6, ia, 6);
450 	memset(p2 + 12, 0, 4);
451 
452 	SMP_DBG("p2 %16phN", p2);
453 
454 	/* res = res XOR p2 */
455 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
456 
457 	/* res = e(k, res) */
458 	err = smp_e(tfm_aes, k, res);
459 	if (err)
460 		BT_ERR("Encrypt data error");
461 
462 	return err;
463 }
464 
465 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
466 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
467 {
468 	int err;
469 
470 	/* Just least significant octets from r1 and r2 are considered */
471 	memcpy(_r, r2, 8);
472 	memcpy(_r + 8, r1, 8);
473 
474 	err = smp_e(tfm_aes, k, _r);
475 	if (err)
476 		BT_ERR("Encrypt data error");
477 
478 	return err;
479 }
480 
481 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
482 		  const u8 r[3], u8 res[3])
483 {
484 	u8 _res[16];
485 	int err;
486 
487 	/* r' = padding || r */
488 	memcpy(_res, r, 3);
489 	memset(_res + 3, 0, 13);
490 
491 	err = smp_e(tfm, irk, _res);
492 	if (err) {
493 		BT_ERR("Encrypt error");
494 		return err;
495 	}
496 
497 	/* The output of the random address function ah is:
498 	 *	ah(k, r) = e(k, r') mod 2^24
499 	 * The output of the security function e is then truncated to 24 bits
500 	 * by taking the least significant 24 bits of the output of e as the
501 	 * result of ah.
502 	 */
503 	memcpy(res, _res, 3);
504 
505 	return 0;
506 }
507 
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509 		     const bdaddr_t *bdaddr)
510 {
511 	struct l2cap_chan *chan = hdev->smp_data;
512 	struct smp_dev *smp;
513 	u8 hash[3];
514 	int err;
515 
516 	if (!chan || !chan->data)
517 		return false;
518 
519 	smp = chan->data;
520 
521 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
522 
523 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
524 	if (err)
525 		return false;
526 
527 	return !crypto_memneq(bdaddr->b, hash, 3);
528 }
529 
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
531 {
532 	struct l2cap_chan *chan = hdev->smp_data;
533 	struct smp_dev *smp;
534 	int err;
535 
536 	if (!chan || !chan->data)
537 		return -EOPNOTSUPP;
538 
539 	smp = chan->data;
540 
541 	get_random_bytes(&rpa->b[3], 3);
542 
543 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
544 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
545 
546 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
547 	if (err < 0)
548 		return err;
549 
550 	BT_DBG("RPA %pMR", rpa);
551 
552 	return 0;
553 }
554 
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
556 {
557 	struct l2cap_chan *chan = hdev->smp_data;
558 	struct smp_dev *smp;
559 	int err;
560 
561 	if (!chan || !chan->data)
562 		return -EOPNOTSUPP;
563 
564 	smp = chan->data;
565 
566 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567 		BT_DBG("Using debug keys");
568 		memcpy(smp->local_pk, debug_pk, 64);
569 		memcpy(smp->local_sk, debug_sk, 32);
570 		smp->debug_key = true;
571 	} else {
572 		while (true) {
573 			/* Seed private key with random number */
574 			get_random_bytes(smp->local_sk, 32);
575 
576 			/* Generate local key pair for Secure Connections */
577 			if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
578 				return -EIO;
579 
580 			/* This is unlikely, but we need to check that
581 			 * we didn't accidentially generate a debug key.
582 			 */
583 			if (crypto_memneq(smp->local_sk, debug_sk, 32))
584 				break;
585 		}
586 		smp->debug_key = false;
587 	}
588 
589 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
590 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
591 	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
592 
593 	get_random_bytes(smp->local_rand, 16);
594 
595 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
596 		     smp->local_rand, 0, hash);
597 	if (err < 0)
598 		return err;
599 
600 	memcpy(rand, smp->local_rand, 16);
601 
602 	return 0;
603 }
604 
605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
606 {
607 	struct l2cap_chan *chan = conn->smp;
608 	struct smp_chan *smp;
609 	struct kvec iv[2];
610 	struct msghdr msg;
611 
612 	if (!chan)
613 		return;
614 
615 	BT_DBG("code 0x%2.2x", code);
616 
617 	iv[0].iov_base = &code;
618 	iv[0].iov_len = 1;
619 
620 	iv[1].iov_base = data;
621 	iv[1].iov_len = len;
622 
623 	memset(&msg, 0, sizeof(msg));
624 
625 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
626 
627 	l2cap_chan_send(chan, &msg, 1 + len);
628 
629 	if (!chan->data)
630 		return;
631 
632 	smp = chan->data;
633 
634 	cancel_delayed_work_sync(&smp->security_timer);
635 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
636 }
637 
638 static u8 authreq_to_seclevel(u8 authreq)
639 {
640 	if (authreq & SMP_AUTH_MITM) {
641 		if (authreq & SMP_AUTH_SC)
642 			return BT_SECURITY_FIPS;
643 		else
644 			return BT_SECURITY_HIGH;
645 	} else {
646 		return BT_SECURITY_MEDIUM;
647 	}
648 }
649 
650 static __u8 seclevel_to_authreq(__u8 sec_level)
651 {
652 	switch (sec_level) {
653 	case BT_SECURITY_FIPS:
654 	case BT_SECURITY_HIGH:
655 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
656 	case BT_SECURITY_MEDIUM:
657 		return SMP_AUTH_BONDING;
658 	default:
659 		return SMP_AUTH_NONE;
660 	}
661 }
662 
663 static void build_pairing_cmd(struct l2cap_conn *conn,
664 			      struct smp_cmd_pairing *req,
665 			      struct smp_cmd_pairing *rsp, __u8 authreq)
666 {
667 	struct l2cap_chan *chan = conn->smp;
668 	struct smp_chan *smp = chan->data;
669 	struct hci_conn *hcon = conn->hcon;
670 	struct hci_dev *hdev = hcon->hdev;
671 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
672 
673 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
674 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
676 		authreq |= SMP_AUTH_BONDING;
677 	} else {
678 		authreq &= ~SMP_AUTH_BONDING;
679 	}
680 
681 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
682 		remote_dist |= SMP_DIST_ID_KEY;
683 
684 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
685 		local_dist |= SMP_DIST_ID_KEY;
686 
687 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
688 	    (authreq & SMP_AUTH_SC)) {
689 		struct oob_data *oob_data;
690 		u8 bdaddr_type;
691 
692 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
693 			local_dist |= SMP_DIST_LINK_KEY;
694 			remote_dist |= SMP_DIST_LINK_KEY;
695 		}
696 
697 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
698 			bdaddr_type = BDADDR_LE_PUBLIC;
699 		else
700 			bdaddr_type = BDADDR_LE_RANDOM;
701 
702 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
703 						    bdaddr_type);
704 		if (oob_data && oob_data->present) {
705 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
706 			oob_flag = SMP_OOB_PRESENT;
707 			memcpy(smp->rr, oob_data->rand256, 16);
708 			memcpy(smp->pcnf, oob_data->hash256, 16);
709 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
710 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
711 		}
712 
713 	} else {
714 		authreq &= ~SMP_AUTH_SC;
715 	}
716 
717 	if (rsp == NULL) {
718 		req->io_capability = conn->hcon->io_capability;
719 		req->oob_flag = oob_flag;
720 		req->max_key_size = SMP_DEV(hdev)->max_key_size;
721 		req->init_key_dist = local_dist;
722 		req->resp_key_dist = remote_dist;
723 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
724 
725 		smp->remote_key_dist = remote_dist;
726 		return;
727 	}
728 
729 	rsp->io_capability = conn->hcon->io_capability;
730 	rsp->oob_flag = oob_flag;
731 	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
732 	rsp->init_key_dist = req->init_key_dist & remote_dist;
733 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
734 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
735 
736 	smp->remote_key_dist = rsp->init_key_dist;
737 }
738 
739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
740 {
741 	struct l2cap_chan *chan = conn->smp;
742 	struct hci_dev *hdev = conn->hcon->hdev;
743 	struct smp_chan *smp = chan->data;
744 
745 	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
746 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
747 		return SMP_ENC_KEY_SIZE;
748 
749 	smp->enc_key_size = max_key_size;
750 
751 	return 0;
752 }
753 
754 static void smp_chan_destroy(struct l2cap_conn *conn)
755 {
756 	struct l2cap_chan *chan = conn->smp;
757 	struct smp_chan *smp = chan->data;
758 	struct hci_conn *hcon = conn->hcon;
759 	bool complete;
760 
761 	BUG_ON(!smp);
762 
763 	cancel_delayed_work_sync(&smp->security_timer);
764 
765 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
766 	mgmt_smp_complete(hcon, complete);
767 
768 	kzfree(smp->csrk);
769 	kzfree(smp->slave_csrk);
770 	kzfree(smp->link_key);
771 
772 	crypto_free_cipher(smp->tfm_aes);
773 	crypto_free_shash(smp->tfm_cmac);
774 
775 	/* Ensure that we don't leave any debug key around if debug key
776 	 * support hasn't been explicitly enabled.
777 	 */
778 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
779 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
780 		list_del_rcu(&smp->ltk->list);
781 		kfree_rcu(smp->ltk, rcu);
782 		smp->ltk = NULL;
783 	}
784 
785 	/* If pairing failed clean up any keys we might have */
786 	if (!complete) {
787 		if (smp->ltk) {
788 			list_del_rcu(&smp->ltk->list);
789 			kfree_rcu(smp->ltk, rcu);
790 		}
791 
792 		if (smp->slave_ltk) {
793 			list_del_rcu(&smp->slave_ltk->list);
794 			kfree_rcu(smp->slave_ltk, rcu);
795 		}
796 
797 		if (smp->remote_irk) {
798 			list_del_rcu(&smp->remote_irk->list);
799 			kfree_rcu(smp->remote_irk, rcu);
800 		}
801 	}
802 
803 	chan->data = NULL;
804 	kzfree(smp);
805 	hci_conn_drop(hcon);
806 }
807 
808 static void smp_failure(struct l2cap_conn *conn, u8 reason)
809 {
810 	struct hci_conn *hcon = conn->hcon;
811 	struct l2cap_chan *chan = conn->smp;
812 
813 	if (reason)
814 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
815 			     &reason);
816 
817 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
818 
819 	if (chan->data)
820 		smp_chan_destroy(conn);
821 }
822 
823 #define JUST_WORKS	0x00
824 #define JUST_CFM	0x01
825 #define REQ_PASSKEY	0x02
826 #define CFM_PASSKEY	0x03
827 #define REQ_OOB		0x04
828 #define DSP_PASSKEY	0x05
829 #define OVERLAP		0xFF
830 
831 static const u8 gen_method[5][5] = {
832 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
836 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
837 };
838 
839 static const u8 sc_method[5][5] = {
840 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
844 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
845 };
846 
847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
848 {
849 	/* If either side has unknown io_caps, use JUST_CFM (which gets
850 	 * converted later to JUST_WORKS if we're initiators.
851 	 */
852 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
854 		return JUST_CFM;
855 
856 	if (test_bit(SMP_FLAG_SC, &smp->flags))
857 		return sc_method[remote_io][local_io];
858 
859 	return gen_method[remote_io][local_io];
860 }
861 
862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 						u8 local_io, u8 remote_io)
864 {
865 	struct hci_conn *hcon = conn->hcon;
866 	struct l2cap_chan *chan = conn->smp;
867 	struct smp_chan *smp = chan->data;
868 	u32 passkey = 0;
869 	int ret = 0;
870 
871 	/* Initialize key for JUST WORKS */
872 	memset(smp->tk, 0, sizeof(smp->tk));
873 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
874 
875 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
876 
877 	/* If neither side wants MITM, either "just" confirm an incoming
878 	 * request or use just-works for outgoing ones. The JUST_CFM
879 	 * will be converted to JUST_WORKS if necessary later in this
880 	 * function. If either side has MITM look up the method from the
881 	 * table.
882 	 */
883 	if (!(auth & SMP_AUTH_MITM))
884 		smp->method = JUST_CFM;
885 	else
886 		smp->method = get_auth_method(smp, local_io, remote_io);
887 
888 	/* Don't confirm locally initiated pairing attempts */
889 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
890 						&smp->flags))
891 		smp->method = JUST_WORKS;
892 
893 	/* Don't bother user space with no IO capabilities */
894 	if (smp->method == JUST_CFM &&
895 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 		smp->method = JUST_WORKS;
897 
898 	/* If Just Works, Continue with Zero TK */
899 	if (smp->method == JUST_WORKS) {
900 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
901 		return 0;
902 	}
903 
904 	/* If this function is used for SC -> legacy fallback we
905 	 * can only recover the just-works case.
906 	 */
907 	if (test_bit(SMP_FLAG_SC, &smp->flags))
908 		return -EINVAL;
909 
910 	/* Not Just Works/Confirm results in MITM Authentication */
911 	if (smp->method != JUST_CFM) {
912 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
913 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 			hcon->pending_sec_level = BT_SECURITY_HIGH;
915 	}
916 
917 	/* If both devices have Keyoard-Display I/O, the master
918 	 * Confirms and the slave Enters the passkey.
919 	 */
920 	if (smp->method == OVERLAP) {
921 		if (hcon->role == HCI_ROLE_MASTER)
922 			smp->method = CFM_PASSKEY;
923 		else
924 			smp->method = REQ_PASSKEY;
925 	}
926 
927 	/* Generate random passkey. */
928 	if (smp->method == CFM_PASSKEY) {
929 		memset(smp->tk, 0, sizeof(smp->tk));
930 		get_random_bytes(&passkey, sizeof(passkey));
931 		passkey %= 1000000;
932 		put_unaligned_le32(passkey, smp->tk);
933 		BT_DBG("PassKey: %d", passkey);
934 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
935 	}
936 
937 	if (smp->method == REQ_PASSKEY)
938 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
939 						hcon->type, hcon->dst_type);
940 	else if (smp->method == JUST_CFM)
941 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 1);
944 	else
945 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
946 						hcon->type, hcon->dst_type,
947 						passkey, 0);
948 
949 	return ret;
950 }
951 
952 static u8 smp_confirm(struct smp_chan *smp)
953 {
954 	struct l2cap_conn *conn = smp->conn;
955 	struct smp_cmd_pairing_confirm cp;
956 	int ret;
957 
958 	BT_DBG("conn %p", conn);
959 
960 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
961 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
962 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
963 		     cp.confirm_val);
964 	if (ret)
965 		return SMP_UNSPECIFIED;
966 
967 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
968 
969 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
970 
971 	if (conn->hcon->out)
972 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
973 	else
974 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
975 
976 	return 0;
977 }
978 
979 static u8 smp_random(struct smp_chan *smp)
980 {
981 	struct l2cap_conn *conn = smp->conn;
982 	struct hci_conn *hcon = conn->hcon;
983 	u8 confirm[16];
984 	int ret;
985 
986 	if (IS_ERR_OR_NULL(smp->tfm_aes))
987 		return SMP_UNSPECIFIED;
988 
989 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
990 
991 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
992 		     hcon->init_addr_type, &hcon->init_addr,
993 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
994 	if (ret)
995 		return SMP_UNSPECIFIED;
996 
997 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
998 		BT_ERR("Pairing failed (confirmation values mismatch)");
999 		return SMP_CONFIRM_FAILED;
1000 	}
1001 
1002 	if (hcon->out) {
1003 		u8 stk[16];
1004 		__le64 rand = 0;
1005 		__le16 ediv = 0;
1006 
1007 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1008 
1009 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1010 			return SMP_UNSPECIFIED;
1011 
1012 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1013 		hcon->enc_key_size = smp->enc_key_size;
1014 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1015 	} else {
1016 		u8 stk[16], auth;
1017 		__le64 rand = 0;
1018 		__le16 ediv = 0;
1019 
1020 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1021 			     smp->prnd);
1022 
1023 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1024 
1025 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1026 			auth = 1;
1027 		else
1028 			auth = 0;
1029 
1030 		/* Even though there's no _SLAVE suffix this is the
1031 		 * slave STK we're adding for later lookup (the master
1032 		 * STK never needs to be stored).
1033 		 */
1034 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1035 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1036 	}
1037 
1038 	return 0;
1039 }
1040 
1041 static void smp_notify_keys(struct l2cap_conn *conn)
1042 {
1043 	struct l2cap_chan *chan = conn->smp;
1044 	struct smp_chan *smp = chan->data;
1045 	struct hci_conn *hcon = conn->hcon;
1046 	struct hci_dev *hdev = hcon->hdev;
1047 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1048 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1049 	bool persistent;
1050 
1051 	if (hcon->type == ACL_LINK) {
1052 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1053 			persistent = false;
1054 		else
1055 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1056 					       &hcon->flags);
1057 	} else {
1058 		/* The LTKs, IRKs and CSRKs should be persistent only if
1059 		 * both sides had the bonding bit set in their
1060 		 * authentication requests.
1061 		 */
1062 		persistent = !!((req->auth_req & rsp->auth_req) &
1063 				SMP_AUTH_BONDING);
1064 	}
1065 
1066 	if (smp->remote_irk) {
1067 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1068 
1069 		/* Now that user space can be considered to know the
1070 		 * identity address track the connection based on it
1071 		 * from now on (assuming this is an LE link).
1072 		 */
1073 		if (hcon->type == LE_LINK) {
1074 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1075 			hcon->dst_type = smp->remote_irk->addr_type;
1076 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1077 		}
1078 	}
1079 
1080 	if (smp->csrk) {
1081 		smp->csrk->bdaddr_type = hcon->dst_type;
1082 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1083 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1084 	}
1085 
1086 	if (smp->slave_csrk) {
1087 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1088 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1089 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1090 	}
1091 
1092 	if (smp->ltk) {
1093 		smp->ltk->bdaddr_type = hcon->dst_type;
1094 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1095 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1096 	}
1097 
1098 	if (smp->slave_ltk) {
1099 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1100 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1101 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1102 	}
1103 
1104 	if (smp->link_key) {
1105 		struct link_key *key;
1106 		u8 type;
1107 
1108 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109 			type = HCI_LK_DEBUG_COMBINATION;
1110 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1111 			type = HCI_LK_AUTH_COMBINATION_P256;
1112 		else
1113 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1114 
1115 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1116 				       smp->link_key, type, 0, &persistent);
1117 		if (key) {
1118 			mgmt_new_link_key(hdev, key, persistent);
1119 
1120 			/* Don't keep debug keys around if the relevant
1121 			 * flag is not set.
1122 			 */
1123 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1125 				list_del_rcu(&key->list);
1126 				kfree_rcu(key, rcu);
1127 			}
1128 		}
1129 	}
1130 }
1131 
1132 static void sc_add_ltk(struct smp_chan *smp)
1133 {
1134 	struct hci_conn *hcon = smp->conn->hcon;
1135 	u8 key_type, auth;
1136 
1137 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138 		key_type = SMP_LTK_P256_DEBUG;
1139 	else
1140 		key_type = SMP_LTK_P256;
1141 
1142 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1143 		auth = 1;
1144 	else
1145 		auth = 0;
1146 
1147 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1148 			       key_type, auth, smp->tk, smp->enc_key_size,
1149 			       0, 0);
1150 }
1151 
1152 static void sc_generate_link_key(struct smp_chan *smp)
1153 {
1154 	/* From core spec. Spells out in ASCII as 'lebr'. */
1155 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1156 
1157 	smp->link_key = kzalloc(16, GFP_KERNEL);
1158 	if (!smp->link_key)
1159 		return;
1160 
1161 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1162 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1163 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1164 
1165 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1166 			kzfree(smp->link_key);
1167 			smp->link_key = NULL;
1168 			return;
1169 		}
1170 	} else {
1171 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1172 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1173 
1174 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1175 			kzfree(smp->link_key);
1176 			smp->link_key = NULL;
1177 			return;
1178 		}
1179 	}
1180 
1181 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1182 		kzfree(smp->link_key);
1183 		smp->link_key = NULL;
1184 		return;
1185 	}
1186 }
1187 
1188 static void smp_allow_key_dist(struct smp_chan *smp)
1189 {
1190 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1191 	 * will be allowed in each PDU handler to ensure we receive
1192 	 * them in the correct order.
1193 	 */
1194 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1195 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1196 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1200 }
1201 
1202 static void sc_generate_ltk(struct smp_chan *smp)
1203 {
1204 	/* From core spec. Spells out in ASCII as 'brle'. */
1205 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1206 	struct hci_conn *hcon = smp->conn->hcon;
1207 	struct hci_dev *hdev = hcon->hdev;
1208 	struct link_key *key;
1209 
1210 	key = hci_find_link_key(hdev, &hcon->dst);
1211 	if (!key) {
1212 		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1213 		return;
1214 	}
1215 
1216 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1217 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1218 
1219 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1220 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1221 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1222 
1223 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1224 			return;
1225 	} else {
1226 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1227 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1228 
1229 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1230 			return;
1231 	}
1232 
1233 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1234 		return;
1235 
1236 	sc_add_ltk(smp);
1237 }
1238 
1239 static void smp_distribute_keys(struct smp_chan *smp)
1240 {
1241 	struct smp_cmd_pairing *req, *rsp;
1242 	struct l2cap_conn *conn = smp->conn;
1243 	struct hci_conn *hcon = conn->hcon;
1244 	struct hci_dev *hdev = hcon->hdev;
1245 	__u8 *keydist;
1246 
1247 	BT_DBG("conn %p", conn);
1248 
1249 	rsp = (void *) &smp->prsp[1];
1250 
1251 	/* The responder sends its keys first */
1252 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1253 		smp_allow_key_dist(smp);
1254 		return;
1255 	}
1256 
1257 	req = (void *) &smp->preq[1];
1258 
1259 	if (hcon->out) {
1260 		keydist = &rsp->init_key_dist;
1261 		*keydist &= req->init_key_dist;
1262 	} else {
1263 		keydist = &rsp->resp_key_dist;
1264 		*keydist &= req->resp_key_dist;
1265 	}
1266 
1267 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1268 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1269 			sc_generate_link_key(smp);
1270 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1271 			sc_generate_ltk(smp);
1272 
1273 		/* Clear the keys which are generated but not distributed */
1274 		*keydist &= ~SMP_SC_NO_DIST;
1275 	}
1276 
1277 	BT_DBG("keydist 0x%x", *keydist);
1278 
1279 	if (*keydist & SMP_DIST_ENC_KEY) {
1280 		struct smp_cmd_encrypt_info enc;
1281 		struct smp_cmd_master_ident ident;
1282 		struct smp_ltk *ltk;
1283 		u8 authenticated;
1284 		__le16 ediv;
1285 		__le64 rand;
1286 
1287 		/* Make sure we generate only the significant amount of
1288 		 * bytes based on the encryption key size, and set the rest
1289 		 * of the value to zeroes.
1290 		 */
1291 		get_random_bytes(enc.ltk, smp->enc_key_size);
1292 		memset(enc.ltk + smp->enc_key_size, 0,
1293 		       sizeof(enc.ltk) - smp->enc_key_size);
1294 
1295 		get_random_bytes(&ediv, sizeof(ediv));
1296 		get_random_bytes(&rand, sizeof(rand));
1297 
1298 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1299 
1300 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1302 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1303 				  smp->enc_key_size, ediv, rand);
1304 		smp->slave_ltk = ltk;
1305 
1306 		ident.ediv = ediv;
1307 		ident.rand = rand;
1308 
1309 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1310 
1311 		*keydist &= ~SMP_DIST_ENC_KEY;
1312 	}
1313 
1314 	if (*keydist & SMP_DIST_ID_KEY) {
1315 		struct smp_cmd_ident_addr_info addrinfo;
1316 		struct smp_cmd_ident_info idinfo;
1317 
1318 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1319 
1320 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1321 
1322 		/* The hci_conn contains the local identity address
1323 		 * after the connection has been established.
1324 		 *
1325 		 * This is true even when the connection has been
1326 		 * established using a resolvable random address.
1327 		 */
1328 		bacpy(&addrinfo.bdaddr, &hcon->src);
1329 		addrinfo.addr_type = hcon->src_type;
1330 
1331 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1332 			     &addrinfo);
1333 
1334 		*keydist &= ~SMP_DIST_ID_KEY;
1335 	}
1336 
1337 	if (*keydist & SMP_DIST_SIGN) {
1338 		struct smp_cmd_sign_info sign;
1339 		struct smp_csrk *csrk;
1340 
1341 		/* Generate a new random key */
1342 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1343 
1344 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1345 		if (csrk) {
1346 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1347 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1348 			else
1349 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1350 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1351 		}
1352 		smp->slave_csrk = csrk;
1353 
1354 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1355 
1356 		*keydist &= ~SMP_DIST_SIGN;
1357 	}
1358 
1359 	/* If there are still keys to be received wait for them */
1360 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1361 		smp_allow_key_dist(smp);
1362 		return;
1363 	}
1364 
1365 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1366 	smp_notify_keys(conn);
1367 
1368 	smp_chan_destroy(conn);
1369 }
1370 
1371 static void smp_timeout(struct work_struct *work)
1372 {
1373 	struct smp_chan *smp = container_of(work, struct smp_chan,
1374 					    security_timer.work);
1375 	struct l2cap_conn *conn = smp->conn;
1376 
1377 	BT_DBG("conn %p", conn);
1378 
1379 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1380 }
1381 
1382 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1383 {
1384 	struct l2cap_chan *chan = conn->smp;
1385 	struct smp_chan *smp;
1386 
1387 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1388 	if (!smp)
1389 		return NULL;
1390 
1391 	smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1392 	if (IS_ERR(smp->tfm_aes)) {
1393 		BT_ERR("Unable to create AES crypto context");
1394 		kzfree(smp);
1395 		return NULL;
1396 	}
1397 
1398 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399 	if (IS_ERR(smp->tfm_cmac)) {
1400 		BT_ERR("Unable to create CMAC crypto context");
1401 		crypto_free_cipher(smp->tfm_aes);
1402 		kzfree(smp);
1403 		return NULL;
1404 	}
1405 
1406 	smp->conn = conn;
1407 	chan->data = smp;
1408 
1409 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1410 
1411 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1412 
1413 	hci_conn_hold(conn->hcon);
1414 
1415 	return smp;
1416 }
1417 
1418 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1419 {
1420 	struct hci_conn *hcon = smp->conn->hcon;
1421 	u8 *na, *nb, a[7], b[7];
1422 
1423 	if (hcon->out) {
1424 		na   = smp->prnd;
1425 		nb   = smp->rrnd;
1426 	} else {
1427 		na   = smp->rrnd;
1428 		nb   = smp->prnd;
1429 	}
1430 
1431 	memcpy(a, &hcon->init_addr, 6);
1432 	memcpy(b, &hcon->resp_addr, 6);
1433 	a[6] = hcon->init_addr_type;
1434 	b[6] = hcon->resp_addr_type;
1435 
1436 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1437 }
1438 
1439 static void sc_dhkey_check(struct smp_chan *smp)
1440 {
1441 	struct hci_conn *hcon = smp->conn->hcon;
1442 	struct smp_cmd_dhkey_check check;
1443 	u8 a[7], b[7], *local_addr, *remote_addr;
1444 	u8 io_cap[3], r[16];
1445 
1446 	memcpy(a, &hcon->init_addr, 6);
1447 	memcpy(b, &hcon->resp_addr, 6);
1448 	a[6] = hcon->init_addr_type;
1449 	b[6] = hcon->resp_addr_type;
1450 
1451 	if (hcon->out) {
1452 		local_addr = a;
1453 		remote_addr = b;
1454 		memcpy(io_cap, &smp->preq[1], 3);
1455 	} else {
1456 		local_addr = b;
1457 		remote_addr = a;
1458 		memcpy(io_cap, &smp->prsp[1], 3);
1459 	}
1460 
1461 	memset(r, 0, sizeof(r));
1462 
1463 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1464 		put_unaligned_le32(hcon->passkey_notify, r);
1465 
1466 	if (smp->method == REQ_OOB)
1467 		memcpy(r, smp->rr, 16);
1468 
1469 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1470 	       local_addr, remote_addr, check.e);
1471 
1472 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1473 }
1474 
1475 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1476 {
1477 	struct l2cap_conn *conn = smp->conn;
1478 	struct hci_conn *hcon = conn->hcon;
1479 	struct smp_cmd_pairing_confirm cfm;
1480 	u8 r;
1481 
1482 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1483 	r |= 0x80;
1484 
1485 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1486 
1487 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1488 		   cfm.confirm_val))
1489 		return SMP_UNSPECIFIED;
1490 
1491 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1492 
1493 	return 0;
1494 }
1495 
1496 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1497 {
1498 	struct l2cap_conn *conn = smp->conn;
1499 	struct hci_conn *hcon = conn->hcon;
1500 	struct hci_dev *hdev = hcon->hdev;
1501 	u8 cfm[16], r;
1502 
1503 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1504 	if (smp->passkey_round >= 20)
1505 		return 0;
1506 
1507 	switch (smp_op) {
1508 	case SMP_CMD_PAIRING_RANDOM:
1509 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1510 		r |= 0x80;
1511 
1512 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1513 			   smp->rrnd, r, cfm))
1514 			return SMP_UNSPECIFIED;
1515 
1516 		if (crypto_memneq(smp->pcnf, cfm, 16))
1517 			return SMP_CONFIRM_FAILED;
1518 
1519 		smp->passkey_round++;
1520 
1521 		if (smp->passkey_round == 20) {
1522 			/* Generate MacKey and LTK */
1523 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1524 				return SMP_UNSPECIFIED;
1525 		}
1526 
1527 		/* The round is only complete when the initiator
1528 		 * receives pairing random.
1529 		 */
1530 		if (!hcon->out) {
1531 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1532 				     sizeof(smp->prnd), smp->prnd);
1533 			if (smp->passkey_round == 20)
1534 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1535 			else
1536 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1537 			return 0;
1538 		}
1539 
1540 		/* Start the next round */
1541 		if (smp->passkey_round != 20)
1542 			return sc_passkey_round(smp, 0);
1543 
1544 		/* Passkey rounds are complete - start DHKey Check */
1545 		sc_dhkey_check(smp);
1546 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547 
1548 		break;
1549 
1550 	case SMP_CMD_PAIRING_CONFIRM:
1551 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1552 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1553 			return 0;
1554 		}
1555 
1556 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1557 
1558 		if (hcon->out) {
1559 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1560 				     sizeof(smp->prnd), smp->prnd);
1561 			return 0;
1562 		}
1563 
1564 		return sc_passkey_send_confirm(smp);
1565 
1566 	case SMP_CMD_PUBLIC_KEY:
1567 	default:
1568 		/* Initiating device starts the round */
1569 		if (!hcon->out)
1570 			return 0;
1571 
1572 		BT_DBG("%s Starting passkey round %u", hdev->name,
1573 		       smp->passkey_round + 1);
1574 
1575 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1576 
1577 		return sc_passkey_send_confirm(smp);
1578 	}
1579 
1580 	return 0;
1581 }
1582 
1583 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1584 {
1585 	struct l2cap_conn *conn = smp->conn;
1586 	struct hci_conn *hcon = conn->hcon;
1587 	u8 smp_op;
1588 
1589 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1590 
1591 	switch (mgmt_op) {
1592 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1593 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1594 		return 0;
1595 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1596 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1597 		return 0;
1598 	case MGMT_OP_USER_PASSKEY_REPLY:
1599 		hcon->passkey_notify = le32_to_cpu(passkey);
1600 		smp->passkey_round = 0;
1601 
1602 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1603 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1604 		else
1605 			smp_op = 0;
1606 
1607 		if (sc_passkey_round(smp, smp_op))
1608 			return -EIO;
1609 
1610 		return 0;
1611 	}
1612 
1613 	/* Initiator sends DHKey check first */
1614 	if (hcon->out) {
1615 		sc_dhkey_check(smp);
1616 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1617 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1618 		sc_dhkey_check(smp);
1619 		sc_add_ltk(smp);
1620 	}
1621 
1622 	return 0;
1623 }
1624 
1625 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1626 {
1627 	struct l2cap_conn *conn = hcon->l2cap_data;
1628 	struct l2cap_chan *chan;
1629 	struct smp_chan *smp;
1630 	u32 value;
1631 	int err;
1632 
1633 	BT_DBG("");
1634 
1635 	if (!conn)
1636 		return -ENOTCONN;
1637 
1638 	chan = conn->smp;
1639 	if (!chan)
1640 		return -ENOTCONN;
1641 
1642 	l2cap_chan_lock(chan);
1643 	if (!chan->data) {
1644 		err = -ENOTCONN;
1645 		goto unlock;
1646 	}
1647 
1648 	smp = chan->data;
1649 
1650 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1651 		err = sc_user_reply(smp, mgmt_op, passkey);
1652 		goto unlock;
1653 	}
1654 
1655 	switch (mgmt_op) {
1656 	case MGMT_OP_USER_PASSKEY_REPLY:
1657 		value = le32_to_cpu(passkey);
1658 		memset(smp->tk, 0, sizeof(smp->tk));
1659 		BT_DBG("PassKey: %d", value);
1660 		put_unaligned_le32(value, smp->tk);
1661 		/* Fall Through */
1662 	case MGMT_OP_USER_CONFIRM_REPLY:
1663 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1664 		break;
1665 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1666 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1667 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668 		err = 0;
1669 		goto unlock;
1670 	default:
1671 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1672 		err = -EOPNOTSUPP;
1673 		goto unlock;
1674 	}
1675 
1676 	err = 0;
1677 
1678 	/* If it is our turn to send Pairing Confirm, do so now */
1679 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1680 		u8 rsp = smp_confirm(smp);
1681 		if (rsp)
1682 			smp_failure(conn, rsp);
1683 	}
1684 
1685 unlock:
1686 	l2cap_chan_unlock(chan);
1687 	return err;
1688 }
1689 
1690 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1691 				    struct smp_cmd_pairing *req,
1692 				    struct smp_cmd_pairing *rsp)
1693 {
1694 	struct l2cap_conn *conn = smp->conn;
1695 	struct hci_dev *hdev = conn->hcon->hdev;
1696 	u8 local_dist = 0, remote_dist = 0;
1697 
1698 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1699 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1700 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1701 	}
1702 
1703 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1704 		remote_dist |= SMP_DIST_ID_KEY;
1705 
1706 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1707 		local_dist |= SMP_DIST_ID_KEY;
1708 
1709 	if (!rsp) {
1710 		memset(req, 0, sizeof(*req));
1711 
1712 		req->auth_req        = SMP_AUTH_CT2;
1713 		req->init_key_dist   = local_dist;
1714 		req->resp_key_dist   = remote_dist;
1715 		req->max_key_size    = conn->hcon->enc_key_size;
1716 
1717 		smp->remote_key_dist = remote_dist;
1718 
1719 		return;
1720 	}
1721 
1722 	memset(rsp, 0, sizeof(*rsp));
1723 
1724 	rsp->auth_req        = SMP_AUTH_CT2;
1725 	rsp->max_key_size    = conn->hcon->enc_key_size;
1726 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1727 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1728 
1729 	smp->remote_key_dist = rsp->init_key_dist;
1730 }
1731 
1732 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1733 {
1734 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1735 	struct l2cap_chan *chan = conn->smp;
1736 	struct hci_dev *hdev = conn->hcon->hdev;
1737 	struct smp_chan *smp;
1738 	u8 key_size, auth, sec_level;
1739 	int ret;
1740 
1741 	BT_DBG("conn %p", conn);
1742 
1743 	if (skb->len < sizeof(*req))
1744 		return SMP_INVALID_PARAMS;
1745 
1746 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1747 		return SMP_CMD_NOTSUPP;
1748 
1749 	if (!chan->data)
1750 		smp = smp_chan_create(conn);
1751 	else
1752 		smp = chan->data;
1753 
1754 	if (!smp)
1755 		return SMP_UNSPECIFIED;
1756 
1757 	/* We didn't start the pairing, so match remote */
1758 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1759 
1760 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1761 	    (auth & SMP_AUTH_BONDING))
1762 		return SMP_PAIRING_NOTSUPP;
1763 
1764 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1765 		return SMP_AUTH_REQUIREMENTS;
1766 
1767 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1768 	memcpy(&smp->preq[1], req, sizeof(*req));
1769 	skb_pull(skb, sizeof(*req));
1770 
1771 	/* If the remote side's OOB flag is set it means it has
1772 	 * successfully received our local OOB data - therefore set the
1773 	 * flag to indicate that local OOB is in use.
1774 	 */
1775 	if (req->oob_flag == SMP_OOB_PRESENT)
1776 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1777 
1778 	/* SMP over BR/EDR requires special treatment */
1779 	if (conn->hcon->type == ACL_LINK) {
1780 		/* We must have a BR/EDR SC link */
1781 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1782 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1783 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1784 
1785 		set_bit(SMP_FLAG_SC, &smp->flags);
1786 
1787 		build_bredr_pairing_cmd(smp, req, &rsp);
1788 
1789 		if (req->auth_req & SMP_AUTH_CT2)
1790 			set_bit(SMP_FLAG_CT2, &smp->flags);
1791 
1792 		key_size = min(req->max_key_size, rsp.max_key_size);
1793 		if (check_enc_key_size(conn, key_size))
1794 			return SMP_ENC_KEY_SIZE;
1795 
1796 		/* Clear bits which are generated but not distributed */
1797 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1798 
1799 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1800 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1801 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1802 
1803 		smp_distribute_keys(smp);
1804 		return 0;
1805 	}
1806 
1807 	build_pairing_cmd(conn, req, &rsp, auth);
1808 
1809 	if (rsp.auth_req & SMP_AUTH_SC) {
1810 		set_bit(SMP_FLAG_SC, &smp->flags);
1811 
1812 		if (rsp.auth_req & SMP_AUTH_CT2)
1813 			set_bit(SMP_FLAG_CT2, &smp->flags);
1814 	}
1815 
1816 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1817 		sec_level = BT_SECURITY_MEDIUM;
1818 	else
1819 		sec_level = authreq_to_seclevel(auth);
1820 
1821 	if (sec_level > conn->hcon->pending_sec_level)
1822 		conn->hcon->pending_sec_level = sec_level;
1823 
1824 	/* If we need MITM check that it can be achieved */
1825 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1826 		u8 method;
1827 
1828 		method = get_auth_method(smp, conn->hcon->io_capability,
1829 					 req->io_capability);
1830 		if (method == JUST_WORKS || method == JUST_CFM)
1831 			return SMP_AUTH_REQUIREMENTS;
1832 	}
1833 
1834 	key_size = min(req->max_key_size, rsp.max_key_size);
1835 	if (check_enc_key_size(conn, key_size))
1836 		return SMP_ENC_KEY_SIZE;
1837 
1838 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1839 
1840 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1841 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1842 
1843 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1844 
1845 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1846 
1847 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1848 	 * SC case, however some implementations incorrectly copy RFU auth
1849 	 * req bits from our security request, which may create a false
1850 	 * positive SC enablement.
1851 	 */
1852 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1853 
1854 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1855 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1856 		/* Clear bits which are generated but not distributed */
1857 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858 		/* Wait for Public Key from Initiating Device */
1859 		return 0;
1860 	}
1861 
1862 	/* Request setup of TK */
1863 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1864 	if (ret)
1865 		return SMP_UNSPECIFIED;
1866 
1867 	return 0;
1868 }
1869 
1870 static u8 sc_send_public_key(struct smp_chan *smp)
1871 {
1872 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1873 
1874 	BT_DBG("");
1875 
1876 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1877 		struct l2cap_chan *chan = hdev->smp_data;
1878 		struct smp_dev *smp_dev;
1879 
1880 		if (!chan || !chan->data)
1881 			return SMP_UNSPECIFIED;
1882 
1883 		smp_dev = chan->data;
1884 
1885 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1886 		memcpy(smp->local_sk, smp_dev->local_sk, 32);
1887 		memcpy(smp->lr, smp_dev->local_rand, 16);
1888 
1889 		if (smp_dev->debug_key)
1890 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1891 
1892 		goto done;
1893 	}
1894 
1895 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1896 		BT_DBG("Using debug keys");
1897 		memcpy(smp->local_pk, debug_pk, 64);
1898 		memcpy(smp->local_sk, debug_sk, 32);
1899 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1900 	} else {
1901 		while (true) {
1902 			/* Seed private key with random number */
1903 			get_random_bytes(smp->local_sk, 32);
1904 
1905 			/* Generate local key pair for Secure Connections */
1906 			if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
1907 				return SMP_UNSPECIFIED;
1908 
1909 			/* This is unlikely, but we need to check that
1910 			 * we didn't accidentially generate a debug key.
1911 			 */
1912 			if (crypto_memneq(smp->local_sk, debug_sk, 32))
1913 				break;
1914 		}
1915 	}
1916 
1917 done:
1918 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1919 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1920 	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1921 
1922 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1923 
1924 	return 0;
1925 }
1926 
1927 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1928 {
1929 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1930 	struct l2cap_chan *chan = conn->smp;
1931 	struct smp_chan *smp = chan->data;
1932 	struct hci_dev *hdev = conn->hcon->hdev;
1933 	u8 key_size, auth;
1934 	int ret;
1935 
1936 	BT_DBG("conn %p", conn);
1937 
1938 	if (skb->len < sizeof(*rsp))
1939 		return SMP_INVALID_PARAMS;
1940 
1941 	if (conn->hcon->role != HCI_ROLE_MASTER)
1942 		return SMP_CMD_NOTSUPP;
1943 
1944 	skb_pull(skb, sizeof(*rsp));
1945 
1946 	req = (void *) &smp->preq[1];
1947 
1948 	key_size = min(req->max_key_size, rsp->max_key_size);
1949 	if (check_enc_key_size(conn, key_size))
1950 		return SMP_ENC_KEY_SIZE;
1951 
1952 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1953 
1954 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1955 		return SMP_AUTH_REQUIREMENTS;
1956 
1957 	/* If the remote side's OOB flag is set it means it has
1958 	 * successfully received our local OOB data - therefore set the
1959 	 * flag to indicate that local OOB is in use.
1960 	 */
1961 	if (rsp->oob_flag == SMP_OOB_PRESENT)
1962 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1963 
1964 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1965 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1966 
1967 	/* Update remote key distribution in case the remote cleared
1968 	 * some bits that we had enabled in our request.
1969 	 */
1970 	smp->remote_key_dist &= rsp->resp_key_dist;
1971 
1972 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1973 		set_bit(SMP_FLAG_CT2, &smp->flags);
1974 
1975 	/* For BR/EDR this means we're done and can start phase 3 */
1976 	if (conn->hcon->type == ACL_LINK) {
1977 		/* Clear bits which are generated but not distributed */
1978 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1979 		smp_distribute_keys(smp);
1980 		return 0;
1981 	}
1982 
1983 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1984 		set_bit(SMP_FLAG_SC, &smp->flags);
1985 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1986 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1987 
1988 	/* If we need MITM check that it can be achieved */
1989 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1990 		u8 method;
1991 
1992 		method = get_auth_method(smp, req->io_capability,
1993 					 rsp->io_capability);
1994 		if (method == JUST_WORKS || method == JUST_CFM)
1995 			return SMP_AUTH_REQUIREMENTS;
1996 	}
1997 
1998 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1999 
2000 	/* Update remote key distribution in case the remote cleared
2001 	 * some bits that we had enabled in our request.
2002 	 */
2003 	smp->remote_key_dist &= rsp->resp_key_dist;
2004 
2005 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2006 		/* Clear bits which are generated but not distributed */
2007 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2008 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2009 		return sc_send_public_key(smp);
2010 	}
2011 
2012 	auth |= req->auth_req;
2013 
2014 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2015 	if (ret)
2016 		return SMP_UNSPECIFIED;
2017 
2018 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2019 
2020 	/* Can't compose response until we have been confirmed */
2021 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2022 		return smp_confirm(smp);
2023 
2024 	return 0;
2025 }
2026 
2027 static u8 sc_check_confirm(struct smp_chan *smp)
2028 {
2029 	struct l2cap_conn *conn = smp->conn;
2030 
2031 	BT_DBG("");
2032 
2033 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2034 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2035 
2036 	if (conn->hcon->out) {
2037 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2038 			     smp->prnd);
2039 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2040 	}
2041 
2042 	return 0;
2043 }
2044 
2045 /* Work-around for some implementations that incorrectly copy RFU bits
2046  * from our security request and thereby create the impression that
2047  * we're doing SC when in fact the remote doesn't support it.
2048  */
2049 static int fixup_sc_false_positive(struct smp_chan *smp)
2050 {
2051 	struct l2cap_conn *conn = smp->conn;
2052 	struct hci_conn *hcon = conn->hcon;
2053 	struct hci_dev *hdev = hcon->hdev;
2054 	struct smp_cmd_pairing *req, *rsp;
2055 	u8 auth;
2056 
2057 	/* The issue is only observed when we're in slave role */
2058 	if (hcon->out)
2059 		return SMP_UNSPECIFIED;
2060 
2061 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2062 		BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2063 		return SMP_UNSPECIFIED;
2064 	}
2065 
2066 	BT_ERR("Trying to fall back to legacy SMP");
2067 
2068 	req = (void *) &smp->preq[1];
2069 	rsp = (void *) &smp->prsp[1];
2070 
2071 	/* Rebuild key dist flags which may have been cleared for SC */
2072 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2073 
2074 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2075 
2076 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2077 		BT_ERR("Failed to fall back to legacy SMP");
2078 		return SMP_UNSPECIFIED;
2079 	}
2080 
2081 	clear_bit(SMP_FLAG_SC, &smp->flags);
2082 
2083 	return 0;
2084 }
2085 
2086 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2087 {
2088 	struct l2cap_chan *chan = conn->smp;
2089 	struct smp_chan *smp = chan->data;
2090 
2091 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2092 
2093 	if (skb->len < sizeof(smp->pcnf))
2094 		return SMP_INVALID_PARAMS;
2095 
2096 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2097 	skb_pull(skb, sizeof(smp->pcnf));
2098 
2099 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2100 		int ret;
2101 
2102 		/* Public Key exchange must happen before any other steps */
2103 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2104 			return sc_check_confirm(smp);
2105 
2106 		BT_ERR("Unexpected SMP Pairing Confirm");
2107 
2108 		ret = fixup_sc_false_positive(smp);
2109 		if (ret)
2110 			return ret;
2111 	}
2112 
2113 	if (conn->hcon->out) {
2114 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2115 			     smp->prnd);
2116 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2117 		return 0;
2118 	}
2119 
2120 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2121 		return smp_confirm(smp);
2122 
2123 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2124 
2125 	return 0;
2126 }
2127 
2128 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2129 {
2130 	struct l2cap_chan *chan = conn->smp;
2131 	struct smp_chan *smp = chan->data;
2132 	struct hci_conn *hcon = conn->hcon;
2133 	u8 *pkax, *pkbx, *na, *nb;
2134 	u32 passkey;
2135 	int err;
2136 
2137 	BT_DBG("conn %p", conn);
2138 
2139 	if (skb->len < sizeof(smp->rrnd))
2140 		return SMP_INVALID_PARAMS;
2141 
2142 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2143 	skb_pull(skb, sizeof(smp->rrnd));
2144 
2145 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2146 		return smp_random(smp);
2147 
2148 	if (hcon->out) {
2149 		pkax = smp->local_pk;
2150 		pkbx = smp->remote_pk;
2151 		na   = smp->prnd;
2152 		nb   = smp->rrnd;
2153 	} else {
2154 		pkax = smp->remote_pk;
2155 		pkbx = smp->local_pk;
2156 		na   = smp->rrnd;
2157 		nb   = smp->prnd;
2158 	}
2159 
2160 	if (smp->method == REQ_OOB) {
2161 		if (!hcon->out)
2162 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2163 				     sizeof(smp->prnd), smp->prnd);
2164 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165 		goto mackey_and_ltk;
2166 	}
2167 
2168 	/* Passkey entry has special treatment */
2169 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2170 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2171 
2172 	if (hcon->out) {
2173 		u8 cfm[16];
2174 
2175 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2176 			     smp->rrnd, 0, cfm);
2177 		if (err)
2178 			return SMP_UNSPECIFIED;
2179 
2180 		if (crypto_memneq(smp->pcnf, cfm, 16))
2181 			return SMP_CONFIRM_FAILED;
2182 	} else {
2183 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2184 			     smp->prnd);
2185 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2186 	}
2187 
2188 mackey_and_ltk:
2189 	/* Generate MacKey and LTK */
2190 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2191 	if (err)
2192 		return SMP_UNSPECIFIED;
2193 
2194 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2195 		if (hcon->out) {
2196 			sc_dhkey_check(smp);
2197 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2198 		}
2199 		return 0;
2200 	}
2201 
2202 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2203 	if (err)
2204 		return SMP_UNSPECIFIED;
2205 
2206 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2207 					hcon->dst_type, passkey, 0);
2208 	if (err)
2209 		return SMP_UNSPECIFIED;
2210 
2211 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2212 
2213 	return 0;
2214 }
2215 
2216 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2217 {
2218 	struct smp_ltk *key;
2219 	struct hci_conn *hcon = conn->hcon;
2220 
2221 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2222 	if (!key)
2223 		return false;
2224 
2225 	if (smp_ltk_sec_level(key) < sec_level)
2226 		return false;
2227 
2228 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2229 		return true;
2230 
2231 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2232 	hcon->enc_key_size = key->enc_size;
2233 
2234 	/* We never store STKs for master role, so clear this flag */
2235 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2236 
2237 	return true;
2238 }
2239 
2240 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2241 			     enum smp_key_pref key_pref)
2242 {
2243 	if (sec_level == BT_SECURITY_LOW)
2244 		return true;
2245 
2246 	/* If we're encrypted with an STK but the caller prefers using
2247 	 * LTK claim insufficient security. This way we allow the
2248 	 * connection to be re-encrypted with an LTK, even if the LTK
2249 	 * provides the same level of security. Only exception is if we
2250 	 * don't have an LTK (e.g. because of key distribution bits).
2251 	 */
2252 	if (key_pref == SMP_USE_LTK &&
2253 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2254 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2255 		return false;
2256 
2257 	if (hcon->sec_level >= sec_level)
2258 		return true;
2259 
2260 	return false;
2261 }
2262 
2263 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2264 {
2265 	struct smp_cmd_security_req *rp = (void *) skb->data;
2266 	struct smp_cmd_pairing cp;
2267 	struct hci_conn *hcon = conn->hcon;
2268 	struct hci_dev *hdev = hcon->hdev;
2269 	struct smp_chan *smp;
2270 	u8 sec_level, auth;
2271 
2272 	BT_DBG("conn %p", conn);
2273 
2274 	if (skb->len < sizeof(*rp))
2275 		return SMP_INVALID_PARAMS;
2276 
2277 	if (hcon->role != HCI_ROLE_MASTER)
2278 		return SMP_CMD_NOTSUPP;
2279 
2280 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2281 
2282 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2283 		return SMP_AUTH_REQUIREMENTS;
2284 
2285 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2286 		sec_level = BT_SECURITY_MEDIUM;
2287 	else
2288 		sec_level = authreq_to_seclevel(auth);
2289 
2290 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2291 		return 0;
2292 
2293 	if (sec_level > hcon->pending_sec_level)
2294 		hcon->pending_sec_level = sec_level;
2295 
2296 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2297 		return 0;
2298 
2299 	smp = smp_chan_create(conn);
2300 	if (!smp)
2301 		return SMP_UNSPECIFIED;
2302 
2303 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2304 	    (auth & SMP_AUTH_BONDING))
2305 		return SMP_PAIRING_NOTSUPP;
2306 
2307 	skb_pull(skb, sizeof(*rp));
2308 
2309 	memset(&cp, 0, sizeof(cp));
2310 	build_pairing_cmd(conn, &cp, NULL, auth);
2311 
2312 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2313 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2314 
2315 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2316 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2317 
2318 	return 0;
2319 }
2320 
2321 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2322 {
2323 	struct l2cap_conn *conn = hcon->l2cap_data;
2324 	struct l2cap_chan *chan;
2325 	struct smp_chan *smp;
2326 	__u8 authreq;
2327 	int ret;
2328 
2329 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2330 
2331 	/* This may be NULL if there's an unexpected disconnection */
2332 	if (!conn)
2333 		return 1;
2334 
2335 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2336 		return 1;
2337 
2338 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2339 		return 1;
2340 
2341 	if (sec_level > hcon->pending_sec_level)
2342 		hcon->pending_sec_level = sec_level;
2343 
2344 	if (hcon->role == HCI_ROLE_MASTER)
2345 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2346 			return 0;
2347 
2348 	chan = conn->smp;
2349 	if (!chan) {
2350 		BT_ERR("SMP security requested but not available");
2351 		return 1;
2352 	}
2353 
2354 	l2cap_chan_lock(chan);
2355 
2356 	/* If SMP is already in progress ignore this request */
2357 	if (chan->data) {
2358 		ret = 0;
2359 		goto unlock;
2360 	}
2361 
2362 	smp = smp_chan_create(conn);
2363 	if (!smp) {
2364 		ret = 1;
2365 		goto unlock;
2366 	}
2367 
2368 	authreq = seclevel_to_authreq(sec_level);
2369 
2370 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2371 		authreq |= SMP_AUTH_SC;
2372 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2373 			authreq |= SMP_AUTH_CT2;
2374 	}
2375 
2376 	/* Require MITM if IO Capability allows or the security level
2377 	 * requires it.
2378 	 */
2379 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2380 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2381 		authreq |= SMP_AUTH_MITM;
2382 
2383 	if (hcon->role == HCI_ROLE_MASTER) {
2384 		struct smp_cmd_pairing cp;
2385 
2386 		build_pairing_cmd(conn, &cp, NULL, authreq);
2387 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2388 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2389 
2390 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2391 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2392 	} else {
2393 		struct smp_cmd_security_req cp;
2394 		cp.auth_req = authreq;
2395 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2396 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2397 	}
2398 
2399 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2400 	ret = 0;
2401 
2402 unlock:
2403 	l2cap_chan_unlock(chan);
2404 	return ret;
2405 }
2406 
2407 void smp_cancel_pairing(struct hci_conn *hcon)
2408 {
2409 	struct l2cap_conn *conn = hcon->l2cap_data;
2410 	struct l2cap_chan *chan;
2411 	struct smp_chan *smp;
2412 
2413 	if (!conn)
2414 		return;
2415 
2416 	chan = conn->smp;
2417 	if (!chan)
2418 		return;
2419 
2420 	l2cap_chan_lock(chan);
2421 
2422 	smp = chan->data;
2423 	if (smp) {
2424 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2425 			smp_failure(conn, 0);
2426 		else
2427 			smp_failure(conn, SMP_UNSPECIFIED);
2428 	}
2429 
2430 	l2cap_chan_unlock(chan);
2431 }
2432 
2433 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2434 {
2435 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2436 	struct l2cap_chan *chan = conn->smp;
2437 	struct smp_chan *smp = chan->data;
2438 
2439 	BT_DBG("conn %p", conn);
2440 
2441 	if (skb->len < sizeof(*rp))
2442 		return SMP_INVALID_PARAMS;
2443 
2444 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2445 
2446 	skb_pull(skb, sizeof(*rp));
2447 
2448 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2449 
2450 	return 0;
2451 }
2452 
2453 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2454 {
2455 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2456 	struct l2cap_chan *chan = conn->smp;
2457 	struct smp_chan *smp = chan->data;
2458 	struct hci_dev *hdev = conn->hcon->hdev;
2459 	struct hci_conn *hcon = conn->hcon;
2460 	struct smp_ltk *ltk;
2461 	u8 authenticated;
2462 
2463 	BT_DBG("conn %p", conn);
2464 
2465 	if (skb->len < sizeof(*rp))
2466 		return SMP_INVALID_PARAMS;
2467 
2468 	/* Mark the information as received */
2469 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2470 
2471 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2472 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2473 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2474 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2475 
2476 	skb_pull(skb, sizeof(*rp));
2477 
2478 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2479 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2480 			  authenticated, smp->tk, smp->enc_key_size,
2481 			  rp->ediv, rp->rand);
2482 	smp->ltk = ltk;
2483 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2484 		smp_distribute_keys(smp);
2485 
2486 	return 0;
2487 }
2488 
2489 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2490 {
2491 	struct smp_cmd_ident_info *info = (void *) skb->data;
2492 	struct l2cap_chan *chan = conn->smp;
2493 	struct smp_chan *smp = chan->data;
2494 
2495 	BT_DBG("");
2496 
2497 	if (skb->len < sizeof(*info))
2498 		return SMP_INVALID_PARAMS;
2499 
2500 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2501 
2502 	skb_pull(skb, sizeof(*info));
2503 
2504 	memcpy(smp->irk, info->irk, 16);
2505 
2506 	return 0;
2507 }
2508 
2509 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2510 				   struct sk_buff *skb)
2511 {
2512 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2513 	struct l2cap_chan *chan = conn->smp;
2514 	struct smp_chan *smp = chan->data;
2515 	struct hci_conn *hcon = conn->hcon;
2516 	bdaddr_t rpa;
2517 
2518 	BT_DBG("");
2519 
2520 	if (skb->len < sizeof(*info))
2521 		return SMP_INVALID_PARAMS;
2522 
2523 	/* Mark the information as received */
2524 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2525 
2526 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2527 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2528 
2529 	skb_pull(skb, sizeof(*info));
2530 
2531 	/* Strictly speaking the Core Specification (4.1) allows sending
2532 	 * an empty address which would force us to rely on just the IRK
2533 	 * as "identity information". However, since such
2534 	 * implementations are not known of and in order to not over
2535 	 * complicate our implementation, simply pretend that we never
2536 	 * received an IRK for such a device.
2537 	 *
2538 	 * The Identity Address must also be a Static Random or Public
2539 	 * Address, which hci_is_identity_address() checks for.
2540 	 */
2541 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2542 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2543 		BT_ERR("Ignoring IRK with no identity address");
2544 		goto distribute;
2545 	}
2546 
2547 	bacpy(&smp->id_addr, &info->bdaddr);
2548 	smp->id_addr_type = info->addr_type;
2549 
2550 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2551 		bacpy(&rpa, &hcon->dst);
2552 	else
2553 		bacpy(&rpa, BDADDR_ANY);
2554 
2555 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2556 				      smp->id_addr_type, smp->irk, &rpa);
2557 
2558 distribute:
2559 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2560 		smp_distribute_keys(smp);
2561 
2562 	return 0;
2563 }
2564 
2565 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2566 {
2567 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2568 	struct l2cap_chan *chan = conn->smp;
2569 	struct smp_chan *smp = chan->data;
2570 	struct smp_csrk *csrk;
2571 
2572 	BT_DBG("conn %p", conn);
2573 
2574 	if (skb->len < sizeof(*rp))
2575 		return SMP_INVALID_PARAMS;
2576 
2577 	/* Mark the information as received */
2578 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2579 
2580 	skb_pull(skb, sizeof(*rp));
2581 
2582 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2583 	if (csrk) {
2584 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2585 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2586 		else
2587 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2588 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2589 	}
2590 	smp->csrk = csrk;
2591 	smp_distribute_keys(smp);
2592 
2593 	return 0;
2594 }
2595 
2596 static u8 sc_select_method(struct smp_chan *smp)
2597 {
2598 	struct l2cap_conn *conn = smp->conn;
2599 	struct hci_conn *hcon = conn->hcon;
2600 	struct smp_cmd_pairing *local, *remote;
2601 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2602 
2603 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2604 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2605 		return REQ_OOB;
2606 
2607 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2608 	 * which are needed as inputs to some crypto functions. To get
2609 	 * the "struct smp_cmd_pairing" from them we need to skip the
2610 	 * first byte which contains the opcode.
2611 	 */
2612 	if (hcon->out) {
2613 		local = (void *) &smp->preq[1];
2614 		remote = (void *) &smp->prsp[1];
2615 	} else {
2616 		local = (void *) &smp->prsp[1];
2617 		remote = (void *) &smp->preq[1];
2618 	}
2619 
2620 	local_io = local->io_capability;
2621 	remote_io = remote->io_capability;
2622 
2623 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2624 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2625 
2626 	/* If either side wants MITM, look up the method from the table,
2627 	 * otherwise use JUST WORKS.
2628 	 */
2629 	if (local_mitm || remote_mitm)
2630 		method = get_auth_method(smp, local_io, remote_io);
2631 	else
2632 		method = JUST_WORKS;
2633 
2634 	/* Don't confirm locally initiated pairing attempts */
2635 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2636 		method = JUST_WORKS;
2637 
2638 	return method;
2639 }
2640 
2641 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2642 {
2643 	struct smp_cmd_public_key *key = (void *) skb->data;
2644 	struct hci_conn *hcon = conn->hcon;
2645 	struct l2cap_chan *chan = conn->smp;
2646 	struct smp_chan *smp = chan->data;
2647 	struct hci_dev *hdev = hcon->hdev;
2648 	struct smp_cmd_pairing_confirm cfm;
2649 	int err;
2650 
2651 	BT_DBG("conn %p", conn);
2652 
2653 	if (skb->len < sizeof(*key))
2654 		return SMP_INVALID_PARAMS;
2655 
2656 	memcpy(smp->remote_pk, key, 64);
2657 
2658 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2659 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2660 			     smp->rr, 0, cfm.confirm_val);
2661 		if (err)
2662 			return SMP_UNSPECIFIED;
2663 
2664 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2665 			return SMP_CONFIRM_FAILED;
2666 	}
2667 
2668 	/* Non-initiating device sends its public key after receiving
2669 	 * the key from the initiating device.
2670 	 */
2671 	if (!hcon->out) {
2672 		err = sc_send_public_key(smp);
2673 		if (err)
2674 			return err;
2675 	}
2676 
2677 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2678 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2679 
2680 	if (!compute_ecdh_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2681 		return SMP_UNSPECIFIED;
2682 
2683 	SMP_DBG("DHKey %32phN", smp->dhkey);
2684 
2685 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2686 
2687 	smp->method = sc_select_method(smp);
2688 
2689 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2690 
2691 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2692 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2693 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2694 	else
2695 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2696 
2697 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2698 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2699 
2700 	if (smp->method == DSP_PASSKEY) {
2701 		get_random_bytes(&hcon->passkey_notify,
2702 				 sizeof(hcon->passkey_notify));
2703 		hcon->passkey_notify %= 1000000;
2704 		hcon->passkey_entered = 0;
2705 		smp->passkey_round = 0;
2706 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2707 					     hcon->dst_type,
2708 					     hcon->passkey_notify,
2709 					     hcon->passkey_entered))
2710 			return SMP_UNSPECIFIED;
2711 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2712 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2713 	}
2714 
2715 	if (smp->method == REQ_OOB) {
2716 		if (hcon->out)
2717 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2718 				     sizeof(smp->prnd), smp->prnd);
2719 
2720 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2721 
2722 		return 0;
2723 	}
2724 
2725 	if (hcon->out)
2726 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2727 
2728 	if (smp->method == REQ_PASSKEY) {
2729 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2730 					      hcon->dst_type))
2731 			return SMP_UNSPECIFIED;
2732 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2733 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2734 		return 0;
2735 	}
2736 
2737 	/* The Initiating device waits for the non-initiating device to
2738 	 * send the confirm value.
2739 	 */
2740 	if (conn->hcon->out)
2741 		return 0;
2742 
2743 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2744 		     0, cfm.confirm_val);
2745 	if (err)
2746 		return SMP_UNSPECIFIED;
2747 
2748 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2749 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2750 
2751 	return 0;
2752 }
2753 
2754 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2755 {
2756 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2757 	struct l2cap_chan *chan = conn->smp;
2758 	struct hci_conn *hcon = conn->hcon;
2759 	struct smp_chan *smp = chan->data;
2760 	u8 a[7], b[7], *local_addr, *remote_addr;
2761 	u8 io_cap[3], r[16], e[16];
2762 	int err;
2763 
2764 	BT_DBG("conn %p", conn);
2765 
2766 	if (skb->len < sizeof(*check))
2767 		return SMP_INVALID_PARAMS;
2768 
2769 	memcpy(a, &hcon->init_addr, 6);
2770 	memcpy(b, &hcon->resp_addr, 6);
2771 	a[6] = hcon->init_addr_type;
2772 	b[6] = hcon->resp_addr_type;
2773 
2774 	if (hcon->out) {
2775 		local_addr = a;
2776 		remote_addr = b;
2777 		memcpy(io_cap, &smp->prsp[1], 3);
2778 	} else {
2779 		local_addr = b;
2780 		remote_addr = a;
2781 		memcpy(io_cap, &smp->preq[1], 3);
2782 	}
2783 
2784 	memset(r, 0, sizeof(r));
2785 
2786 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2787 		put_unaligned_le32(hcon->passkey_notify, r);
2788 	else if (smp->method == REQ_OOB)
2789 		memcpy(r, smp->lr, 16);
2790 
2791 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2792 		     io_cap, remote_addr, local_addr, e);
2793 	if (err)
2794 		return SMP_UNSPECIFIED;
2795 
2796 	if (crypto_memneq(check->e, e, 16))
2797 		return SMP_DHKEY_CHECK_FAILED;
2798 
2799 	if (!hcon->out) {
2800 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2801 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2802 			return 0;
2803 		}
2804 
2805 		/* Slave sends DHKey check as response to master */
2806 		sc_dhkey_check(smp);
2807 	}
2808 
2809 	sc_add_ltk(smp);
2810 
2811 	if (hcon->out) {
2812 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2813 		hcon->enc_key_size = smp->enc_key_size;
2814 	}
2815 
2816 	return 0;
2817 }
2818 
2819 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2820 				   struct sk_buff *skb)
2821 {
2822 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2823 
2824 	BT_DBG("value 0x%02x", kp->value);
2825 
2826 	return 0;
2827 }
2828 
2829 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2830 {
2831 	struct l2cap_conn *conn = chan->conn;
2832 	struct hci_conn *hcon = conn->hcon;
2833 	struct smp_chan *smp;
2834 	__u8 code, reason;
2835 	int err = 0;
2836 
2837 	if (skb->len < 1)
2838 		return -EILSEQ;
2839 
2840 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2841 		reason = SMP_PAIRING_NOTSUPP;
2842 		goto done;
2843 	}
2844 
2845 	code = skb->data[0];
2846 	skb_pull(skb, sizeof(code));
2847 
2848 	smp = chan->data;
2849 
2850 	if (code > SMP_CMD_MAX)
2851 		goto drop;
2852 
2853 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2854 		goto drop;
2855 
2856 	/* If we don't have a context the only allowed commands are
2857 	 * pairing request and security request.
2858 	 */
2859 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2860 		goto drop;
2861 
2862 	switch (code) {
2863 	case SMP_CMD_PAIRING_REQ:
2864 		reason = smp_cmd_pairing_req(conn, skb);
2865 		break;
2866 
2867 	case SMP_CMD_PAIRING_FAIL:
2868 		smp_failure(conn, 0);
2869 		err = -EPERM;
2870 		break;
2871 
2872 	case SMP_CMD_PAIRING_RSP:
2873 		reason = smp_cmd_pairing_rsp(conn, skb);
2874 		break;
2875 
2876 	case SMP_CMD_SECURITY_REQ:
2877 		reason = smp_cmd_security_req(conn, skb);
2878 		break;
2879 
2880 	case SMP_CMD_PAIRING_CONFIRM:
2881 		reason = smp_cmd_pairing_confirm(conn, skb);
2882 		break;
2883 
2884 	case SMP_CMD_PAIRING_RANDOM:
2885 		reason = smp_cmd_pairing_random(conn, skb);
2886 		break;
2887 
2888 	case SMP_CMD_ENCRYPT_INFO:
2889 		reason = smp_cmd_encrypt_info(conn, skb);
2890 		break;
2891 
2892 	case SMP_CMD_MASTER_IDENT:
2893 		reason = smp_cmd_master_ident(conn, skb);
2894 		break;
2895 
2896 	case SMP_CMD_IDENT_INFO:
2897 		reason = smp_cmd_ident_info(conn, skb);
2898 		break;
2899 
2900 	case SMP_CMD_IDENT_ADDR_INFO:
2901 		reason = smp_cmd_ident_addr_info(conn, skb);
2902 		break;
2903 
2904 	case SMP_CMD_SIGN_INFO:
2905 		reason = smp_cmd_sign_info(conn, skb);
2906 		break;
2907 
2908 	case SMP_CMD_PUBLIC_KEY:
2909 		reason = smp_cmd_public_key(conn, skb);
2910 		break;
2911 
2912 	case SMP_CMD_DHKEY_CHECK:
2913 		reason = smp_cmd_dhkey_check(conn, skb);
2914 		break;
2915 
2916 	case SMP_CMD_KEYPRESS_NOTIFY:
2917 		reason = smp_cmd_keypress_notify(conn, skb);
2918 		break;
2919 
2920 	default:
2921 		BT_DBG("Unknown command code 0x%2.2x", code);
2922 		reason = SMP_CMD_NOTSUPP;
2923 		goto done;
2924 	}
2925 
2926 done:
2927 	if (!err) {
2928 		if (reason)
2929 			smp_failure(conn, reason);
2930 		kfree_skb(skb);
2931 	}
2932 
2933 	return err;
2934 
2935 drop:
2936 	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2937 	       code, &hcon->dst);
2938 	kfree_skb(skb);
2939 	return 0;
2940 }
2941 
2942 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2943 {
2944 	struct l2cap_conn *conn = chan->conn;
2945 
2946 	BT_DBG("chan %p", chan);
2947 
2948 	if (chan->data)
2949 		smp_chan_destroy(conn);
2950 
2951 	conn->smp = NULL;
2952 	l2cap_chan_put(chan);
2953 }
2954 
2955 static void bredr_pairing(struct l2cap_chan *chan)
2956 {
2957 	struct l2cap_conn *conn = chan->conn;
2958 	struct hci_conn *hcon = conn->hcon;
2959 	struct hci_dev *hdev = hcon->hdev;
2960 	struct smp_cmd_pairing req;
2961 	struct smp_chan *smp;
2962 
2963 	BT_DBG("chan %p", chan);
2964 
2965 	/* Only new pairings are interesting */
2966 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2967 		return;
2968 
2969 	/* Don't bother if we're not encrypted */
2970 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2971 		return;
2972 
2973 	/* Only master may initiate SMP over BR/EDR */
2974 	if (hcon->role != HCI_ROLE_MASTER)
2975 		return;
2976 
2977 	/* Secure Connections support must be enabled */
2978 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2979 		return;
2980 
2981 	/* BR/EDR must use Secure Connections for SMP */
2982 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2983 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2984 		return;
2985 
2986 	/* If our LE support is not enabled don't do anything */
2987 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2988 		return;
2989 
2990 	/* Don't bother if remote LE support is not enabled */
2991 	if (!lmp_host_le_capable(hcon))
2992 		return;
2993 
2994 	/* Remote must support SMP fixed chan for BR/EDR */
2995 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2996 		return;
2997 
2998 	/* Don't bother if SMP is already ongoing */
2999 	if (chan->data)
3000 		return;
3001 
3002 	smp = smp_chan_create(conn);
3003 	if (!smp) {
3004 		BT_ERR("%s unable to create SMP context for BR/EDR",
3005 		       hdev->name);
3006 		return;
3007 	}
3008 
3009 	set_bit(SMP_FLAG_SC, &smp->flags);
3010 
3011 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3012 
3013 	/* Prepare and send the BR/EDR SMP Pairing Request */
3014 	build_bredr_pairing_cmd(smp, &req, NULL);
3015 
3016 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3017 	memcpy(&smp->preq[1], &req, sizeof(req));
3018 
3019 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3020 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3021 }
3022 
3023 static void smp_resume_cb(struct l2cap_chan *chan)
3024 {
3025 	struct smp_chan *smp = chan->data;
3026 	struct l2cap_conn *conn = chan->conn;
3027 	struct hci_conn *hcon = conn->hcon;
3028 
3029 	BT_DBG("chan %p", chan);
3030 
3031 	if (hcon->type == ACL_LINK) {
3032 		bredr_pairing(chan);
3033 		return;
3034 	}
3035 
3036 	if (!smp)
3037 		return;
3038 
3039 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3040 		return;
3041 
3042 	cancel_delayed_work(&smp->security_timer);
3043 
3044 	smp_distribute_keys(smp);
3045 }
3046 
3047 static void smp_ready_cb(struct l2cap_chan *chan)
3048 {
3049 	struct l2cap_conn *conn = chan->conn;
3050 	struct hci_conn *hcon = conn->hcon;
3051 
3052 	BT_DBG("chan %p", chan);
3053 
3054 	/* No need to call l2cap_chan_hold() here since we already own
3055 	 * the reference taken in smp_new_conn_cb(). This is just the
3056 	 * first time that we tie it to a specific pointer. The code in
3057 	 * l2cap_core.c ensures that there's no risk this function wont
3058 	 * get called if smp_new_conn_cb was previously called.
3059 	 */
3060 	conn->smp = chan;
3061 
3062 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3063 		bredr_pairing(chan);
3064 }
3065 
3066 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3067 {
3068 	int err;
3069 
3070 	BT_DBG("chan %p", chan);
3071 
3072 	err = smp_sig_channel(chan, skb);
3073 	if (err) {
3074 		struct smp_chan *smp = chan->data;
3075 
3076 		if (smp)
3077 			cancel_delayed_work_sync(&smp->security_timer);
3078 
3079 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3080 	}
3081 
3082 	return err;
3083 }
3084 
3085 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3086 					unsigned long hdr_len,
3087 					unsigned long len, int nb)
3088 {
3089 	struct sk_buff *skb;
3090 
3091 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3092 	if (!skb)
3093 		return ERR_PTR(-ENOMEM);
3094 
3095 	skb->priority = HCI_PRIO_MAX;
3096 	bt_cb(skb)->l2cap.chan = chan;
3097 
3098 	return skb;
3099 }
3100 
3101 static const struct l2cap_ops smp_chan_ops = {
3102 	.name			= "Security Manager",
3103 	.ready			= smp_ready_cb,
3104 	.recv			= smp_recv_cb,
3105 	.alloc_skb		= smp_alloc_skb_cb,
3106 	.teardown		= smp_teardown_cb,
3107 	.resume			= smp_resume_cb,
3108 
3109 	.new_connection		= l2cap_chan_no_new_connection,
3110 	.state_change		= l2cap_chan_no_state_change,
3111 	.close			= l2cap_chan_no_close,
3112 	.defer			= l2cap_chan_no_defer,
3113 	.suspend		= l2cap_chan_no_suspend,
3114 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3115 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3116 };
3117 
3118 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3119 {
3120 	struct l2cap_chan *chan;
3121 
3122 	BT_DBG("pchan %p", pchan);
3123 
3124 	chan = l2cap_chan_create();
3125 	if (!chan)
3126 		return NULL;
3127 
3128 	chan->chan_type	= pchan->chan_type;
3129 	chan->ops	= &smp_chan_ops;
3130 	chan->scid	= pchan->scid;
3131 	chan->dcid	= chan->scid;
3132 	chan->imtu	= pchan->imtu;
3133 	chan->omtu	= pchan->omtu;
3134 	chan->mode	= pchan->mode;
3135 
3136 	/* Other L2CAP channels may request SMP routines in order to
3137 	 * change the security level. This means that the SMP channel
3138 	 * lock must be considered in its own category to avoid lockdep
3139 	 * warnings.
3140 	 */
3141 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3142 
3143 	BT_DBG("created chan %p", chan);
3144 
3145 	return chan;
3146 }
3147 
3148 static const struct l2cap_ops smp_root_chan_ops = {
3149 	.name			= "Security Manager Root",
3150 	.new_connection		= smp_new_conn_cb,
3151 
3152 	/* None of these are implemented for the root channel */
3153 	.close			= l2cap_chan_no_close,
3154 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3155 	.recv			= l2cap_chan_no_recv,
3156 	.state_change		= l2cap_chan_no_state_change,
3157 	.teardown		= l2cap_chan_no_teardown,
3158 	.ready			= l2cap_chan_no_ready,
3159 	.defer			= l2cap_chan_no_defer,
3160 	.suspend		= l2cap_chan_no_suspend,
3161 	.resume			= l2cap_chan_no_resume,
3162 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3163 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3164 };
3165 
3166 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3167 {
3168 	struct l2cap_chan *chan;
3169 	struct smp_dev *smp;
3170 	struct crypto_cipher *tfm_aes;
3171 	struct crypto_shash *tfm_cmac;
3172 
3173 	if (cid == L2CAP_CID_SMP_BREDR) {
3174 		smp = NULL;
3175 		goto create_chan;
3176 	}
3177 
3178 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3179 	if (!smp)
3180 		return ERR_PTR(-ENOMEM);
3181 
3182 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3183 	if (IS_ERR(tfm_aes)) {
3184 		BT_ERR("Unable to create AES crypto context");
3185 		kzfree(smp);
3186 		return ERR_CAST(tfm_aes);
3187 	}
3188 
3189 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3190 	if (IS_ERR(tfm_cmac)) {
3191 		BT_ERR("Unable to create CMAC crypto context");
3192 		crypto_free_cipher(tfm_aes);
3193 		kzfree(smp);
3194 		return ERR_CAST(tfm_cmac);
3195 	}
3196 
3197 	smp->tfm_aes = tfm_aes;
3198 	smp->tfm_cmac = tfm_cmac;
3199 	smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3200 	smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3201 
3202 create_chan:
3203 	chan = l2cap_chan_create();
3204 	if (!chan) {
3205 		if (smp) {
3206 			crypto_free_cipher(smp->tfm_aes);
3207 			crypto_free_shash(smp->tfm_cmac);
3208 			kzfree(smp);
3209 		}
3210 		return ERR_PTR(-ENOMEM);
3211 	}
3212 
3213 	chan->data = smp;
3214 
3215 	l2cap_add_scid(chan, cid);
3216 
3217 	l2cap_chan_set_defaults(chan);
3218 
3219 	if (cid == L2CAP_CID_SMP) {
3220 		u8 bdaddr_type;
3221 
3222 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3223 
3224 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3225 			chan->src_type = BDADDR_LE_PUBLIC;
3226 		else
3227 			chan->src_type = BDADDR_LE_RANDOM;
3228 	} else {
3229 		bacpy(&chan->src, &hdev->bdaddr);
3230 		chan->src_type = BDADDR_BREDR;
3231 	}
3232 
3233 	chan->state = BT_LISTEN;
3234 	chan->mode = L2CAP_MODE_BASIC;
3235 	chan->imtu = L2CAP_DEFAULT_MTU;
3236 	chan->ops = &smp_root_chan_ops;
3237 
3238 	/* Set correct nesting level for a parent/listening channel */
3239 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3240 
3241 	return chan;
3242 }
3243 
3244 static void smp_del_chan(struct l2cap_chan *chan)
3245 {
3246 	struct smp_dev *smp;
3247 
3248 	BT_DBG("chan %p", chan);
3249 
3250 	smp = chan->data;
3251 	if (smp) {
3252 		chan->data = NULL;
3253 		crypto_free_cipher(smp->tfm_aes);
3254 		crypto_free_shash(smp->tfm_cmac);
3255 		kzfree(smp);
3256 	}
3257 
3258 	l2cap_chan_put(chan);
3259 }
3260 
3261 static ssize_t force_bredr_smp_read(struct file *file,
3262 				    char __user *user_buf,
3263 				    size_t count, loff_t *ppos)
3264 {
3265 	struct hci_dev *hdev = file->private_data;
3266 	char buf[3];
3267 
3268 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3269 	buf[1] = '\n';
3270 	buf[2] = '\0';
3271 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3272 }
3273 
3274 static ssize_t force_bredr_smp_write(struct file *file,
3275 				     const char __user *user_buf,
3276 				     size_t count, loff_t *ppos)
3277 {
3278 	struct hci_dev *hdev = file->private_data;
3279 	char buf[32];
3280 	size_t buf_size = min(count, (sizeof(buf)-1));
3281 	bool enable;
3282 
3283 	if (copy_from_user(buf, user_buf, buf_size))
3284 		return -EFAULT;
3285 
3286 	buf[buf_size] = '\0';
3287 	if (strtobool(buf, &enable))
3288 		return -EINVAL;
3289 
3290 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3291 		return -EALREADY;
3292 
3293 	if (enable) {
3294 		struct l2cap_chan *chan;
3295 
3296 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3297 		if (IS_ERR(chan))
3298 			return PTR_ERR(chan);
3299 
3300 		hdev->smp_bredr_data = chan;
3301 	} else {
3302 		struct l2cap_chan *chan;
3303 
3304 		chan = hdev->smp_bredr_data;
3305 		hdev->smp_bredr_data = NULL;
3306 		smp_del_chan(chan);
3307 	}
3308 
3309 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3310 
3311 	return count;
3312 }
3313 
3314 static const struct file_operations force_bredr_smp_fops = {
3315 	.open		= simple_open,
3316 	.read		= force_bredr_smp_read,
3317 	.write		= force_bredr_smp_write,
3318 	.llseek		= default_llseek,
3319 };
3320 
3321 static ssize_t le_min_key_size_read(struct file *file,
3322 				     char __user *user_buf,
3323 				     size_t count, loff_t *ppos)
3324 {
3325 	struct hci_dev *hdev = file->private_data;
3326 	char buf[4];
3327 
3328 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3329 
3330 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3331 }
3332 
3333 static ssize_t le_min_key_size_write(struct file *file,
3334 				      const char __user *user_buf,
3335 				      size_t count, loff_t *ppos)
3336 {
3337 	struct hci_dev *hdev = file->private_data;
3338 	char buf[32];
3339 	size_t buf_size = min(count, (sizeof(buf) - 1));
3340 	u8 key_size;
3341 
3342 	if (copy_from_user(buf, user_buf, buf_size))
3343 		return -EFAULT;
3344 
3345 	buf[buf_size] = '\0';
3346 
3347 	sscanf(buf, "%hhu", &key_size);
3348 
3349 	if (key_size > SMP_DEV(hdev)->max_key_size ||
3350 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3351 		return -EINVAL;
3352 
3353 	SMP_DEV(hdev)->min_key_size = key_size;
3354 
3355 	return count;
3356 }
3357 
3358 static const struct file_operations le_min_key_size_fops = {
3359 	.open		= simple_open,
3360 	.read		= le_min_key_size_read,
3361 	.write		= le_min_key_size_write,
3362 	.llseek		= default_llseek,
3363 };
3364 
3365 static ssize_t le_max_key_size_read(struct file *file,
3366 				     char __user *user_buf,
3367 				     size_t count, loff_t *ppos)
3368 {
3369 	struct hci_dev *hdev = file->private_data;
3370 	char buf[4];
3371 
3372 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3373 
3374 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3375 }
3376 
3377 static ssize_t le_max_key_size_write(struct file *file,
3378 				      const char __user *user_buf,
3379 				      size_t count, loff_t *ppos)
3380 {
3381 	struct hci_dev *hdev = file->private_data;
3382 	char buf[32];
3383 	size_t buf_size = min(count, (sizeof(buf) - 1));
3384 	u8 key_size;
3385 
3386 	if (copy_from_user(buf, user_buf, buf_size))
3387 		return -EFAULT;
3388 
3389 	buf[buf_size] = '\0';
3390 
3391 	sscanf(buf, "%hhu", &key_size);
3392 
3393 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3394 	    key_size < SMP_DEV(hdev)->min_key_size)
3395 		return -EINVAL;
3396 
3397 	SMP_DEV(hdev)->max_key_size = key_size;
3398 
3399 	return count;
3400 }
3401 
3402 static const struct file_operations le_max_key_size_fops = {
3403 	.open		= simple_open,
3404 	.read		= le_max_key_size_read,
3405 	.write		= le_max_key_size_write,
3406 	.llseek		= default_llseek,
3407 };
3408 
3409 int smp_register(struct hci_dev *hdev)
3410 {
3411 	struct l2cap_chan *chan;
3412 
3413 	BT_DBG("%s", hdev->name);
3414 
3415 	/* If the controller does not support Low Energy operation, then
3416 	 * there is also no need to register any SMP channel.
3417 	 */
3418 	if (!lmp_le_capable(hdev))
3419 		return 0;
3420 
3421 	if (WARN_ON(hdev->smp_data)) {
3422 		chan = hdev->smp_data;
3423 		hdev->smp_data = NULL;
3424 		smp_del_chan(chan);
3425 	}
3426 
3427 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3428 	if (IS_ERR(chan))
3429 		return PTR_ERR(chan);
3430 
3431 	hdev->smp_data = chan;
3432 
3433 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3434 			    &le_min_key_size_fops);
3435 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3436 			    &le_max_key_size_fops);
3437 
3438 	/* If the controller does not support BR/EDR Secure Connections
3439 	 * feature, then the BR/EDR SMP channel shall not be present.
3440 	 *
3441 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3442 	 * switch that allows forcing BR/EDR SMP support and accepting
3443 	 * cross-transport pairing on non-AES encrypted connections.
3444 	 */
3445 	if (!lmp_sc_capable(hdev)) {
3446 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3447 				    hdev, &force_bredr_smp_fops);
3448 
3449 		/* Flag can be already set here (due to power toggle) */
3450 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3451 			return 0;
3452 	}
3453 
3454 	if (WARN_ON(hdev->smp_bredr_data)) {
3455 		chan = hdev->smp_bredr_data;
3456 		hdev->smp_bredr_data = NULL;
3457 		smp_del_chan(chan);
3458 	}
3459 
3460 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3461 	if (IS_ERR(chan)) {
3462 		int err = PTR_ERR(chan);
3463 		chan = hdev->smp_data;
3464 		hdev->smp_data = NULL;
3465 		smp_del_chan(chan);
3466 		return err;
3467 	}
3468 
3469 	hdev->smp_bredr_data = chan;
3470 
3471 	return 0;
3472 }
3473 
3474 void smp_unregister(struct hci_dev *hdev)
3475 {
3476 	struct l2cap_chan *chan;
3477 
3478 	if (hdev->smp_bredr_data) {
3479 		chan = hdev->smp_bredr_data;
3480 		hdev->smp_bredr_data = NULL;
3481 		smp_del_chan(chan);
3482 	}
3483 
3484 	if (hdev->smp_data) {
3485 		chan = hdev->smp_data;
3486 		hdev->smp_data = NULL;
3487 		smp_del_chan(chan);
3488 	}
3489 }
3490 
3491 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3492 
3493 static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits)
3494 {
3495 	int i;
3496 
3497 	for (i = 0; i < ndigits; i++)
3498 		out[i] = __swab64(in[ndigits - 1 - i]);
3499 }
3500 
3501 static int __init test_debug_key(void)
3502 {
3503 	u8 pk[64], sk[32];
3504 
3505 	swap_digits((u64 *)debug_sk, (u64 *)sk, 4);
3506 
3507 	if (!generate_ecdh_keys(pk, sk))
3508 		return -EINVAL;
3509 
3510 	if (crypto_memneq(sk, debug_sk, 32))
3511 		return -EINVAL;
3512 
3513 	if (crypto_memneq(pk, debug_pk, 64))
3514 		return -EINVAL;
3515 
3516 	return 0;
3517 }
3518 
3519 static int __init test_ah(struct crypto_cipher *tfm_aes)
3520 {
3521 	const u8 irk[16] = {
3522 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3523 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3524 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3525 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3526 	u8 res[3];
3527 	int err;
3528 
3529 	err = smp_ah(tfm_aes, irk, r, res);
3530 	if (err)
3531 		return err;
3532 
3533 	if (crypto_memneq(res, exp, 3))
3534 		return -EINVAL;
3535 
3536 	return 0;
3537 }
3538 
3539 static int __init test_c1(struct crypto_cipher *tfm_aes)
3540 {
3541 	const u8 k[16] = {
3542 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3543 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3544 	const u8 r[16] = {
3545 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3546 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3547 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3548 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3549 	const u8 _iat = 0x01;
3550 	const u8 _rat = 0x00;
3551 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3552 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3553 	const u8 exp[16] = {
3554 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3555 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3556 	u8 res[16];
3557 	int err;
3558 
3559 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3560 	if (err)
3561 		return err;
3562 
3563 	if (crypto_memneq(res, exp, 16))
3564 		return -EINVAL;
3565 
3566 	return 0;
3567 }
3568 
3569 static int __init test_s1(struct crypto_cipher *tfm_aes)
3570 {
3571 	const u8 k[16] = {
3572 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3573 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3574 	const u8 r1[16] = {
3575 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3576 	const u8 r2[16] = {
3577 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3578 	const u8 exp[16] = {
3579 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3580 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3581 	u8 res[16];
3582 	int err;
3583 
3584 	err = smp_s1(tfm_aes, k, r1, r2, res);
3585 	if (err)
3586 		return err;
3587 
3588 	if (crypto_memneq(res, exp, 16))
3589 		return -EINVAL;
3590 
3591 	return 0;
3592 }
3593 
3594 static int __init test_f4(struct crypto_shash *tfm_cmac)
3595 {
3596 	const u8 u[32] = {
3597 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3598 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3599 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3600 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3601 	const u8 v[32] = {
3602 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3603 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3604 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3605 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3606 	const u8 x[16] = {
3607 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609 	const u8 z = 0x00;
3610 	const u8 exp[16] = {
3611 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3612 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3613 	u8 res[16];
3614 	int err;
3615 
3616 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3617 	if (err)
3618 		return err;
3619 
3620 	if (crypto_memneq(res, exp, 16))
3621 		return -EINVAL;
3622 
3623 	return 0;
3624 }
3625 
3626 static int __init test_f5(struct crypto_shash *tfm_cmac)
3627 {
3628 	const u8 w[32] = {
3629 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3630 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3631 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3632 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3633 	const u8 n1[16] = {
3634 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3635 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3636 	const u8 n2[16] = {
3637 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3638 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3639 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3640 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3641 	const u8 exp_ltk[16] = {
3642 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3643 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3644 	const u8 exp_mackey[16] = {
3645 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3646 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3647 	u8 mackey[16], ltk[16];
3648 	int err;
3649 
3650 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3651 	if (err)
3652 		return err;
3653 
3654 	if (crypto_memneq(mackey, exp_mackey, 16))
3655 		return -EINVAL;
3656 
3657 	if (crypto_memneq(ltk, exp_ltk, 16))
3658 		return -EINVAL;
3659 
3660 	return 0;
3661 }
3662 
3663 static int __init test_f6(struct crypto_shash *tfm_cmac)
3664 {
3665 	const u8 w[16] = {
3666 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3667 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3668 	const u8 n1[16] = {
3669 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3670 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3671 	const u8 n2[16] = {
3672 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3673 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3674 	const u8 r[16] = {
3675 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3676 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3677 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3678 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3679 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3680 	const u8 exp[16] = {
3681 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3682 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3683 	u8 res[16];
3684 	int err;
3685 
3686 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3687 	if (err)
3688 		return err;
3689 
3690 	if (crypto_memneq(res, exp, 16))
3691 		return -EINVAL;
3692 
3693 	return 0;
3694 }
3695 
3696 static int __init test_g2(struct crypto_shash *tfm_cmac)
3697 {
3698 	const u8 u[32] = {
3699 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3700 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3701 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3702 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3703 	const u8 v[32] = {
3704 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3705 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3706 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3707 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3708 	const u8 x[16] = {
3709 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3710 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3711 	const u8 y[16] = {
3712 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3713 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3714 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3715 	u32 val;
3716 	int err;
3717 
3718 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3719 	if (err)
3720 		return err;
3721 
3722 	if (val != exp_val)
3723 		return -EINVAL;
3724 
3725 	return 0;
3726 }
3727 
3728 static int __init test_h6(struct crypto_shash *tfm_cmac)
3729 {
3730 	const u8 w[16] = {
3731 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3732 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3733 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3734 	const u8 exp[16] = {
3735 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3736 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3737 	u8 res[16];
3738 	int err;
3739 
3740 	err = smp_h6(tfm_cmac, w, key_id, res);
3741 	if (err)
3742 		return err;
3743 
3744 	if (crypto_memneq(res, exp, 16))
3745 		return -EINVAL;
3746 
3747 	return 0;
3748 }
3749 
3750 static char test_smp_buffer[32];
3751 
3752 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3753 			     size_t count, loff_t *ppos)
3754 {
3755 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3756 				       strlen(test_smp_buffer));
3757 }
3758 
3759 static const struct file_operations test_smp_fops = {
3760 	.open		= simple_open,
3761 	.read		= test_smp_read,
3762 	.llseek		= default_llseek,
3763 };
3764 
3765 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3766 				struct crypto_shash *tfm_cmac)
3767 {
3768 	ktime_t calltime, delta, rettime;
3769 	unsigned long long duration;
3770 	int err;
3771 
3772 	calltime = ktime_get();
3773 
3774 	err = test_debug_key();
3775 	if (err) {
3776 		BT_ERR("debug_key test failed");
3777 		goto done;
3778 	}
3779 
3780 	err = test_ah(tfm_aes);
3781 	if (err) {
3782 		BT_ERR("smp_ah test failed");
3783 		goto done;
3784 	}
3785 
3786 	err = test_c1(tfm_aes);
3787 	if (err) {
3788 		BT_ERR("smp_c1 test failed");
3789 		goto done;
3790 	}
3791 
3792 	err = test_s1(tfm_aes);
3793 	if (err) {
3794 		BT_ERR("smp_s1 test failed");
3795 		goto done;
3796 	}
3797 
3798 	err = test_f4(tfm_cmac);
3799 	if (err) {
3800 		BT_ERR("smp_f4 test failed");
3801 		goto done;
3802 	}
3803 
3804 	err = test_f5(tfm_cmac);
3805 	if (err) {
3806 		BT_ERR("smp_f5 test failed");
3807 		goto done;
3808 	}
3809 
3810 	err = test_f6(tfm_cmac);
3811 	if (err) {
3812 		BT_ERR("smp_f6 test failed");
3813 		goto done;
3814 	}
3815 
3816 	err = test_g2(tfm_cmac);
3817 	if (err) {
3818 		BT_ERR("smp_g2 test failed");
3819 		goto done;
3820 	}
3821 
3822 	err = test_h6(tfm_cmac);
3823 	if (err) {
3824 		BT_ERR("smp_h6 test failed");
3825 		goto done;
3826 	}
3827 
3828 	rettime = ktime_get();
3829 	delta = ktime_sub(rettime, calltime);
3830 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3831 
3832 	BT_INFO("SMP test passed in %llu usecs", duration);
3833 
3834 done:
3835 	if (!err)
3836 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3837 			 "PASS (%llu usecs)\n", duration);
3838 	else
3839 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3840 
3841 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3842 			    &test_smp_fops);
3843 
3844 	return err;
3845 }
3846 
3847 int __init bt_selftest_smp(void)
3848 {
3849 	struct crypto_cipher *tfm_aes;
3850 	struct crypto_shash *tfm_cmac;
3851 	int err;
3852 
3853 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3854 	if (IS_ERR(tfm_aes)) {
3855 		BT_ERR("Unable to create AES crypto context");
3856 		return PTR_ERR(tfm_aes);
3857 	}
3858 
3859 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3860 	if (IS_ERR(tfm_cmac)) {
3861 		BT_ERR("Unable to create CMAC crypto context");
3862 		crypto_free_cipher(tfm_aes);
3863 		return PTR_ERR(tfm_cmac);
3864 	}
3865 
3866 	err = run_selftests(tfm_aes, tfm_cmac);
3867 
3868 	crypto_free_shash(tfm_cmac);
3869 	crypto_free_cipher(tfm_aes);
3870 
3871 	return err;
3872 }
3873 
3874 #endif
3875